Malware Analysis Report

2024-10-19 06:53

Sample ID 240130-egsgnagaa9
Target 01a908923cbc76874658c47d432424a0.exe
SHA256 6ba75d8e032bf1a23d50f4426c9f00444bec1b5396f29042a72b652a515b4247
Tags
stealerium zgrat collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ba75d8e032bf1a23d50f4426c9f00444bec1b5396f29042a72b652a515b4247

Threat Level: Known bad

The file 01a908923cbc76874658c47d432424a0.exe was found to be: Known bad.

Malicious Activity Summary

stealerium zgrat collection rat spyware stealer

Stealerium

Detect ZGRat V1

ZGRat

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Executes dropped EXE

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 03:55

Reported

2024-01-30 03:57

Platform

win7-20231215-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3000 set thread context of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3000 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 1664 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
PID 1664 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
PID 1664 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
PID 1664 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1664 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\KORID0R.exe C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\KORID0R.exe C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 652 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\KORID0R.exe C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 840 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 840 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 840 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 2412 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1556 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1556 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1556 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1556 wrote to memory of 752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1556 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1556 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1556 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1556 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1556 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1556 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1556 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1556 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2412 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2340 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2340 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2340 wrote to memory of 2408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2340 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2340 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2340 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2340 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

"C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"

C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

C:\Users\Admin\AppData\Local\Temp\KORID0R.exe

"C:\Users\Admin\AppData\Local\Temp\KORID0R.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 840 -s 720

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 store23.gofile.io udp
US 172.111.38.92:443 store23.gofile.io tcp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.129.233:443 discordapp.com tcp

Files

memory/3000-0-0x00000000011B0000-0x00000000011CC000-memory.dmp

memory/3000-1-0x0000000074230000-0x000000007491E000-memory.dmp

memory/3000-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/3000-3-0x00000000080A0000-0x000000000860A000-memory.dmp

memory/3000-4-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-5-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-7-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-9-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-11-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-13-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-15-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-17-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-19-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-21-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-23-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-25-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-27-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-31-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-29-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-37-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-35-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-33-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-39-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-41-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-43-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-45-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-47-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-51-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-49-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-67-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-65-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-63-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-61-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-59-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-57-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-55-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-53-0x00000000080A0000-0x0000000008604000-memory.dmp

memory/3000-936-0x0000000074230000-0x000000007491E000-memory.dmp

memory/3000-937-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/3000-938-0x00000000087B0000-0x0000000008CB0000-memory.dmp

memory/3000-939-0x0000000000410000-0x000000000045C000-memory.dmp

memory/3000-952-0x0000000074230000-0x000000007491E000-memory.dmp

memory/1664-956-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/1664-957-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/1664-958-0x0000000005560000-0x00000000055A0000-memory.dmp

\Users\Admin\AppData\Local\Temp\KORID0R.exe

MD5 222b8cba0f63d84500e3743f6532dfc4
SHA1 7fd3d70518259831c933236e9516b8aba7910821
SHA256 93796d923cb11c16352528f9c1e80df197df567d1d03819d7d21899fd64e424f
SHA512 4c728ea58bc42f29f585f2b1e4704418aa27f6464176967f4d7a3d46a10e24508d12cdc3035d4dfb32fc26f9714b13b05b4d81c4c7129246076b6f4e786a7162

\Users\Admin\AppData\Local\Temp\build.exe

MD5 23c3a4f4136d15ceaca2a2a6af88ab59
SHA1 0f67a288d3d943282f0f28274dd6c8c29c40ea24
SHA256 7bde84ef1142b6460f2818f5a3137c1cdc508148c875caf7a91ac69ae026f942
SHA512 5741470ef32f6fca036220d0b57b9ec8ec4997dba23eb35a3cfa60631c30419c306925c22ed7247df26ef3d044130514c81470fce62d605e7f78184acd032fc9

memory/2412-978-0x0000000000330000-0x00000000004C2000-memory.dmp

memory/1664-979-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/652-980-0x0000000000EE0000-0x0000000001058000-memory.dmp

memory/652-981-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

memory/2412-982-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/652-983-0x000000001BBE0000-0x000000001BC60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 550628b16ef8c4e27c4081950cf8fd66
SHA1 ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA256 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512 e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

memory/840-990-0x0000000000E80000-0x0000000000E9E000-memory.dmp

memory/840-991-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

memory/2412-992-0x0000000002200000-0x0000000002240000-memory.dmp

memory/2412-996-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/2412-997-0x0000000000690000-0x00000000006B6000-memory.dmp

memory/2412-998-0x0000000000800000-0x0000000000808000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA47B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA4DC.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2412-1033-0x0000000000930000-0x000000000093A000-memory.dmp

memory/2412-1034-0x0000000000940000-0x0000000000948000-memory.dmp

memory/2412-1035-0x00000000020E0000-0x00000000020FE000-memory.dmp

memory/652-1036-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2412-1115-0x00000000741B0000-0x000000007489E000-memory.dmp

memory/2412-1116-0x0000000002200000-0x0000000002240000-memory.dmp

memory/652-1119-0x000000001BBE0000-0x000000001BC60000-memory.dmp

memory/840-1120-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

memory/2412-1121-0x0000000002200000-0x0000000002240000-memory.dmp

C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\Apps.txt

MD5 90e05e64959dcc96ed6dfb89d65334a6
SHA1 76840a3fb0a3a37a497a2232912753f9a9e5733a
SHA256 5b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876
SHA512 f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510

memory/2412-1164-0x0000000006B70000-0x0000000006BEA000-memory.dmp

C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\Debug.txt

MD5 beec1701396ac7524912ab02234005f6
SHA1 b734752ff28dbbaf63aaee72ff2e34fd9153e4d7
SHA256 f33b1e4564a0faf92e228c4005f12aa220f34eec04193d9991dc9df0ee47e06d
SHA512 cb88b209adf6daf6232355a2c6550c976ff3e731147009ec4a11efc838cbd6de11ada402e0b22b11e33ff500c8f04b15f664ab25e790a4ffa857beb8c6d8b997

C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\ProductKey.txt

MD5 cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1 289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256 dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512 e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

memory/2412-1231-0x0000000006D10000-0x0000000006DC2000-memory.dmp

C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\msgid.dat

MD5 ef62bd9c27ebdd78b92d51329374d697
SHA1 89f915eb9057e7099a541d8b1e5dacc5779b94b5
SHA256 a7c73df21361821920b3b18665ab54b984320dcc512a5b71bb09415d270ca32e
SHA512 7060b4cfaeddd9729b08d1175f733501b567bc319ef589353a00ceed7c621540e3fcc0d6273f4637933893ea3a3fa31392f1c079d805929bc246d1635d11b1a6

memory/2412-1347-0x0000000002200000-0x0000000002240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 03:55

Reported

2024-01-30 03:57

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\KORID0R.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2536 set thread context of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\KORID0R.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 2536 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
PID 3912 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
PID 3912 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
PID 3912 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3912 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3912 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3280 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\KORID0R.exe C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 3280 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\KORID0R.exe C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2092 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3944 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3944 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3944 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3944 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3944 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3944 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3944 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3944 wrote to memory of 1696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2092 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2092 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3876 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3876 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3876 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3876 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3876 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3876 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

"C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"

C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe

C:\Users\Admin\AppData\Local\Temp\KORID0R.exe

"C:\Users\Admin\AppData\Local\Temp\KORID0R.exe"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 store16.gofile.io udp
US 104.36.23.21:443 store16.gofile.io tcp
US 8.8.8.8:53 21.23.36.104.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/2536-0-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/2536-1-0x0000000000CF0000-0x0000000000D0C000-memory.dmp

memory/2536-2-0x0000000005780000-0x0000000005790000-memory.dmp

memory/2536-3-0x00000000084D0000-0x0000000008A3A000-memory.dmp

memory/2536-5-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-4-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-7-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-9-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-11-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-13-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-15-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-17-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-19-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-21-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-23-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-25-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-27-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-29-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-31-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-33-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-35-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-37-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-39-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-41-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-43-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-45-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-47-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-49-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-51-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-53-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-55-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-57-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-59-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-61-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-63-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-65-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-67-0x00000000084D0000-0x0000000008A34000-memory.dmp

memory/2536-936-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/2536-937-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/2536-938-0x0000000008ED0000-0x00000000093D0000-memory.dmp

memory/2536-939-0x0000000007090000-0x00000000070DC000-memory.dmp

memory/2536-940-0x0000000009980000-0x0000000009F24000-memory.dmp

memory/3912-943-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/2536-944-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3912-945-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/3912-946-0x00000000056B0000-0x0000000005742000-memory.dmp

memory/3912-947-0x0000000005640000-0x0000000005650000-memory.dmp

memory/3912-948-0x0000000005890000-0x000000000589A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KORID0R.exe

MD5 222b8cba0f63d84500e3743f6532dfc4
SHA1 7fd3d70518259831c933236e9516b8aba7910821
SHA256 93796d923cb11c16352528f9c1e80df197df567d1d03819d7d21899fd64e424f
SHA512 4c728ea58bc42f29f585f2b1e4704418aa27f6464176967f4d7a3d46a10e24508d12cdc3035d4dfb32fc26f9714b13b05b4d81c4c7129246076b6f4e786a7162

C:\Users\Admin\AppData\Local\Temp\KORID0R.exe

MD5 090381835958e49a158d95b1a8307cc8
SHA1 18d7714b9718791754b581450f77e1116127d6d7
SHA256 732664f5b564f40e11481bc0f7931313039566c4e18f83bb023f761ab04b61ae
SHA512 8326c67776277d9f50f7668dd979951c1880a1e2c8bf39c7d5e2540289d78b317208365f7295dcede855452554e7d3691dc44f0a916df559d67a2bd8384aa7f3

C:\Users\Admin\AppData\Local\Temp\KORID0R.exe

MD5 d97b2e37808d7144a9ee47b9a915dbd0
SHA1 521e8f32704d3fee037d3b5e5d6a73a775cc9602
SHA256 cc0c927e43aa0ccef58e7bddba004b68266bd6132e72640fe0950ed4322a1f96
SHA512 f6561078b5192956b96a1ff173253143c116c1950b5757e1e7841b9716af1d834efa8f60e9bde60c64cec689634b99bdb36372ea7df5e85e38a075a8674a5b79

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 51b0bca51ca74d831ee1714d72f4f82a
SHA1 c45951f29491c64ad3847b9fc23741806c7db66d
SHA256 3a1cb2eb8e1f6195a3c17220efef67dd84c746ea5617c103eae6d21f188f9d44
SHA512 cfa62537b800a95ce79c04ffd7be8ab3997688527b9e3ffa5f80171d0c91b97ddc463181f8749ea40f3a4b3e0ad1b288b1808f5f46c219b93ae0c49056c66c47

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 23c3a4f4136d15ceaca2a2a6af88ab59
SHA1 0f67a288d3d943282f0f28274dd6c8c29c40ea24
SHA256 7bde84ef1142b6460f2818f5a3137c1cdc508148c875caf7a91ac69ae026f942
SHA512 5741470ef32f6fca036220d0b57b9ec8ec4997dba23eb35a3cfa60631c30419c306925c22ed7247df26ef3d044130514c81470fce62d605e7f78184acd032fc9

memory/3280-977-0x0000023E6DF10000-0x0000023E6E088000-memory.dmp

memory/2092-978-0x0000000000FA0000-0x0000000001132000-memory.dmp

memory/2092-979-0x00000000059F0000-0x0000000005A56000-memory.dmp

memory/3280-980-0x00007FFE31E20000-0x00007FFE328E1000-memory.dmp

memory/2092-981-0x00000000744C0000-0x0000000074C70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\01a908923cbc76874658c47d432424a0.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/3912-983-0x00000000744C0000-0x0000000074C70000-memory.dmp

memory/3280-984-0x0000023E70590000-0x0000023E705A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 550628b16ef8c4e27c4081950cf8fd66
SHA1 ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA256 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512 e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

memory/2980-997-0x000001891DC20000-0x000001891DC3E000-memory.dmp

memory/2980-998-0x00007FFE31E20000-0x00007FFE328E1000-memory.dmp

memory/2092-999-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/2980-1000-0x00007FFE31E20000-0x00007FFE328E1000-memory.dmp

memory/3280-1004-0x0000023E72910000-0x0000023E72960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt

MD5 6be6fdca0cfa94635b8689b2b0bf2bee
SHA1 379c61029b5443c3d3df7c770423e40618b36d15
SHA256 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA512 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8

C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt

MD5 412ec159e4b14be1ca93db473e80acc2
SHA1 8909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256 eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512 a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4

C:\Users\Admin\AppData\Local\Temp\Data\Downloads.txt

MD5 ae0f7fab163139c661e576fe0af08651
SHA1 7545ab94360fd93f2209021b4cecabb92592be27
SHA256 832ff6318e2c78ac1907c74f3911f8815b545c16449cbce6753e21fb723cb657
SHA512 a3e342a3c72c079db96a8d6bb108830c3a772b926be0cf4e5d09ebb09e1babbc7602959bf1f82c8df8764f45479f318c3205114f23c96fd663efa792cff86b8b

C:\Users\Admin\AppData\Local\Temp\Data\CreditCards.txt

MD5 0f5f7a38759e578c92bcf62c45d80b8a
SHA1 211e70ede55cce5bf67f685d85cbd030a8517d2b
SHA256 39059fc9bf3844dacbe329b623ca7a06f72656216dd4e52dc9b938b3d95289dc
SHA512 8130466f8ee346c0b931a34e63e2e9dc6f4070b85faaa58efdddd4d165fa605457d3137472c5fd09da87b0135a4beb660ee39cb390d78be6f0786950036b205d

memory/3280-1045-0x00007FFE31E20000-0x00007FFE328E1000-memory.dmp

memory/2092-1046-0x0000000006210000-0x00000000062A2000-memory.dmp

memory/2092-1047-0x00000000062A0000-0x00000000062C6000-memory.dmp

memory/2092-1048-0x00000000062D0000-0x00000000062D8000-memory.dmp

memory/2092-1049-0x00000000070F0000-0x00000000070FA000-memory.dmp

memory/2092-1050-0x0000000007100000-0x0000000007108000-memory.dmp

memory/2092-1051-0x0000000007120000-0x000000000713E000-memory.dmp

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\System\Debug.txt

MD5 7c59f9fe840414789bd0d694721dc931
SHA1 3bd2bfa77d7d751f021aa39c519d7d71468281a2
SHA256 9cb2c43b23a986c6771a9e96c3ca89bb0b891dc71389e0338de5e8d32c14b6e2
SHA512 7c475ba54da940844170f1b71b2b1a518a173ccb0b7827d8e9347946040db8346cba28da0b263f3bd800e74983b6d5a9c269c71288e8a63ef3af46b550db023b

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2092-1117-0x00000000744C0000-0x0000000074C70000-memory.dmp

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\System\Process.txt

MD5 e3b62f1517346f39fd7cf7984cf2827a
SHA1 48db581459a4f578d20daa0d89746d23d6789efd
SHA256 ccf5c5185e2df7e968b2f1e553421ffbe0628dab3aac6acf3cc57bc82c2976cd
SHA512 1390b940da4e404acef3e0485facfce688e5c9c888d33f1d85f4d6ceb234ee49fb4ffe534165896160165b4b9eb9432b0d8a3ab9c013d7658188a27bfddb8d91

memory/2092-1191-0x00000000059E0000-0x00000000059F0000-memory.dmp

memory/2092-1204-0x00000000059E0000-0x00000000059F0000-memory.dmp

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\System\Apps.txt

MD5 109200e0ebbbb8555161615ac6f7b282
SHA1 4a128739efbf0eaed157f68eda5d505690dc643b
SHA256 464943501c3413d695b38a23e9c9469dcbfd5f6c6b707e5f24ff4cbd804e7e0b
SHA512 dd70f3a0be9746169a0c8b2b6a9769bdadd9cb2d4f6fc63daf4fddc289bd872874dc3f969d1b69cb1d33b22c74afbea622ec59041ef8cc767f329b990eefacae

memory/2092-1239-0x0000000007440000-0x00000000074BA000-memory.dmp

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\Admin@NUPNSVML_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

memory/2092-1311-0x0000000007590000-0x0000000007642000-memory.dmp

memory/2092-1313-0x00000000073E0000-0x0000000007402000-memory.dmp

memory/2092-1314-0x000000000A040000-0x000000000A394000-memory.dmp

C:\Users\Admin\AppData\Local\290089e560d04ab6c39a980cb50156c3\msgid.dat

MD5 47301cf2c3d9432fee54ceffb6e1794c
SHA1 cbd71f5a6c6c406f30e2d298dbab923c511a6981
SHA256 195832702d8fcb054e0466f4b857aca48bf7dd06c09ff1e8d8d9fa0934685582
SHA512 a73c47ba98b515c2d277aaaf366528527664fe3b795092d5e4ba8b1e58893aaf0e5d1b1ec57251bdb5561e2f0c8888264d12fe1f78374bdc27628ab11311a5c7

memory/2092-1326-0x00000000059E0000-0x00000000059F0000-memory.dmp