Malware Analysis Report

2024-10-19 06:53

Sample ID 240130-egsgnagab2
Target ac15ae1e49f4272e8d38b5fd5573ce35.exe
SHA256 c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149
Tags
stealerium zgrat collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149

Threat Level: Known bad

The file ac15ae1e49f4272e8d38b5fd5573ce35.exe was found to be: Known bad.

Malicious Activity Summary

stealerium zgrat collection rat spyware stealer

Stealerium

ZGRat

Detect ZGRat V1

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Modifies system certificate store

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 03:55

Reported

2024-01-30 03:57

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1740 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2640 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2640 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2640 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2640 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2640 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2864 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2864 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2864 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 1236 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 1236 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 1236 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 2560 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2436 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2436 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2436 wrote to memory of 1320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2436 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2436 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2436 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2436 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2436 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2436 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2436 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2436 wrote to memory of 3024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2560 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 968 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 968 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 968 wrote to memory of 292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 968 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 968 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 968 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 968 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1236 -s 716

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 store23.gofile.io udp
US 172.111.38.92:443 store23.gofile.io tcp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.129.233:443 discordapp.com tcp

Files

memory/1740-0-0x0000000001170000-0x000000000118A000-memory.dmp

memory/1740-1-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/1740-2-0x0000000004A00000-0x0000000004A40000-memory.dmp

memory/1740-3-0x0000000000250000-0x0000000000256000-memory.dmp

memory/1740-4-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1740-5-0x0000000008010000-0x000000000857A000-memory.dmp

memory/1740-7-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-6-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-9-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-11-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-13-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-15-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-17-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-19-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-21-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-23-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-25-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-27-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-29-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-31-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-33-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-35-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-37-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-39-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-41-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-43-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-45-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-47-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-49-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-51-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-53-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-55-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-57-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-59-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-61-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-63-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-65-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-67-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-69-0x0000000008010000-0x0000000008574000-memory.dmp

memory/1740-938-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1740-939-0x0000000008580000-0x0000000008A82000-memory.dmp

memory/1740-940-0x00000000007E0000-0x000000000082C000-memory.dmp

memory/1740-953-0x00000000743D0000-0x0000000074ABE000-memory.dmp

memory/2640-957-0x0000000073CE0000-0x00000000743CE000-memory.dmp

memory/2640-958-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/2640-959-0x00000000027E0000-0x0000000002820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 bfb8866406a887f611b58af3cda8f246
SHA1 c7ca14280875961a729b0c4d98fcc54781d05c42
SHA256 10314807ff47014bfeb31e2c2ec55193cd534290672223ab31ea5a5e82cc5385
SHA512 70fa652963a93f69a4cf48ff4b9f3d53594ca797220245c73f0095de31620c8ef7b2b6a16ea0df788e0c54e830994ff64202cc9a7388a8c7e7f1da023a58760d

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 46ea7d3de90f2da13dd8d76aa4c6ed6c
SHA1 2c1a47205a21507fb86c3d8be44a68ab2f91a15a
SHA256 59c4ba9f7ce429d30b6cb292fb8e34fb7cd45a3650d8a6c8696709ebceb7f2da
SHA512 e0b7977153019ccc50e7fdd9274124a5cafd291f914fc4a27e6b454c3f6e4a4c6f5ecc1070fde3da067f2fc43648627b9c84cd0da231ce4362ccadd1001c6825

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 778e1e34ee77a25c58aedc48d24486ae
SHA1 cd6bbd316d083a4f59598e85556259fd2adebbb9
SHA256 cbcbdfda8eb75d10a118940ae6a0b46002329f814056f91feefcb624863657d1
SHA512 c93ee11f0874833c58f67f9bdc05f5b2afe8175bc206997a02e1ca75a3e6c7a9ad53291a102197c77341f56387e41603cdf0a5a09381d0d0c4263153858e0108

memory/2560-979-0x0000000001090000-0x0000000001222000-memory.dmp

memory/2560-980-0x0000000073CE0000-0x00000000743CE000-memory.dmp

\Users\Admin\AppData\Local\Temp\build.exe

MD5 de7430fc6f9e99788387676e6d85e550
SHA1 38d1d76936371445f76e24c3e197083af898f18c
SHA256 f16f03472223270fcde63c9358eec7ed75b0974f43d629f855f0dc28bfbdd3be
SHA512 4a2fa0e3181f0fb9b8fb0f09e751c6b7e38f049817624330e68d57b5d6b25422c38688a1f47cadfa9f02bfcee06bcee5fce52478158b597e669f1cf82819b167

\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 2a79f09a92f9358c9a0308e1d81d212f
SHA1 403f52d25db2814e67481e25636077145ab2a2e7
SHA256 8bba33bfb730fa047e7391306f3b1c25f1ad4ee72b9026459cf170546fdbeba6
SHA512 6f9be195427795588aa149080a9b6f9bb52a03c488b753158945f5bffb386d81d8c9275269218dfe3a295d74af4dbd78a8ed74feda0b11c49f2606dc6852fcc5

memory/2640-981-0x0000000073CE0000-0x00000000743CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 b2b2aee98a316af7df9af63534632f59
SHA1 6773875ab6fbd5538a72beae7968904cdb9852a6
SHA256 693c7ba6dc0b416bd9076a4acaffcd2feb9012021ca739e4706070649ed96c0d
SHA512 09a8a2063ea7410b067719aead7f762532719bbf19dc87dc8372cc8edf9da1c5609ad2e6ed1e8dcd32bc1b64d4296d691bce688788a560b730191f3be53ec2a7

memory/2864-982-0x0000000000DA0000-0x0000000000F18000-memory.dmp

memory/2864-983-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2864-984-0x000000001BF80000-0x000000001C000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 fcc259c12d3015ec2f490578f20ae36f
SHA1 6a5964bc2f5e523589c5b648e6493a8d4a769632
SHA256 c0eba00c6c2351a93922918feae6bacfde45d711c4f03e64d97bd917433f45f2
SHA512 50d645ff714033adf17cd3c5aa279d53cd086f31270efb9bfff8da80f2167123d80440d7496be16c33d50e3336e3624dbb7c89efb4cec00ae07c35186534de60

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 68f87ada1c861946dfb374f15907fe4e
SHA1 5ad786ccd2e29d92a7216433e97565b6dfadcf4a
SHA256 b98925b2c7ed1364e3d63c18e6af82fed20444eb00ed6875b7134f8b6720a49d
SHA512 77d1aabff3b923cbf1476f4f4775e301b3d61514ac3e0c987517a92587f2e31cc0d9fbce2806aa8e3404238d4eab021f439a8bdb7ceba51a4450ddb8d600b1f1

memory/1236-991-0x00000000008E0000-0x00000000008FE000-memory.dmp

memory/1236-992-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2560-993-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2560-997-0x0000000004BF0000-0x0000000004C82000-memory.dmp

memory/2560-998-0x0000000000690000-0x00000000006B6000-memory.dmp

memory/2560-999-0x00000000005A0000-0x00000000005A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1170.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar11D1.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2560-1034-0x0000000000840000-0x000000000084A000-memory.dmp

memory/2560-1035-0x0000000000850000-0x0000000000858000-memory.dmp

memory/2560-1036-0x0000000000DB0000-0x0000000000DCE000-memory.dmp

memory/2560-1037-0x0000000073CE0000-0x00000000743CE000-memory.dmp

C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\Debug.txt

MD5 7a63b53a5ae6d72741dfcedb88f9d26b
SHA1 c05423356152e671818f4ae99533453d3982d54b
SHA256 2ff7745396d0088e7aabab766edc660190a7232ec825fc4ba92e7be315eaddc3
SHA512 b043221dc42d01d953d465f9515313659ac2c63916f5f9a462320e19bedcac7276c8a7777a68de28a7ad653bfa60633576854253d1dc3aaa3a835eb70bde7eea

memory/2864-1117-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

memory/2560-1118-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2864-1121-0x000000001BF80000-0x000000001C000000-memory.dmp

C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\Apps.txt

MD5 90e05e64959dcc96ed6dfb89d65334a6
SHA1 76840a3fb0a3a37a497a2232912753f9a9e5733a
SHA256 5b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876
SHA512 f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510

memory/2560-1164-0x00000000059F0000-0x0000000005A6A000-memory.dmp

memory/1236-1165-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\Admin@OZEMQECW_en-US\System\ProductKey.txt

MD5 cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1 289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256 dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512 e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

memory/2560-1232-0x0000000005F50000-0x0000000006002000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c26cded0e72b7957d17ed1e1ac5eb20
SHA1 4ef9345e507f9107cbc779cb0e5fad6068cc7d59
SHA256 04a722f4f791477f25a5130fa9ac8ef8507248d2bb7932fb8d60148b18fcdd1a
SHA512 ab068c0b1382c243aedd282d220573cbbc254818cc32617ea7f2ad42295d40f2e95f5e99fd741567c591fd60760f2cd5edbd062adde4d8c919aced1b8cef5971

memory/2560-1308-0x0000000004C90000-0x0000000004CD0000-memory.dmp

C:\Users\Admin\AppData\Local\73d837180ec4b539d74362b358a4492c\msgid.dat

MD5 a2dae724d24a1e29870171dce039bf15
SHA1 416fdb59913b9c31d9ece9aed1595c87d9c0892a
SHA256 ac772cd81f0405910e60618df6b0013162bee48cd0582cc2901d6a283b74fefd
SHA512 fdebbe09f010dfbfd875d0c8b2c45572ce253589fa307d08f9dcf8dd642f6a49cd4c5a1687bd0fa27f61ae30c3085aafad83b7ef967e4f9d620c8226159c3f7f

memory/2560-1339-0x0000000004C90000-0x0000000004CD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 03:55

Reported

2024-01-30 03:57

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2888 set thread context of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\build.exe

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2888 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1824 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 1824 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 1824 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1824 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1824 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2936 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2936 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 4832 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1040 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1040 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1040 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1040 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1040 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1040 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1040 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1040 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1040 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4832 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 4884 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4884 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4884 wrote to memory of 3256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4884 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4884 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4884 wrote to memory of 3216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4832 -ip 4832

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 2924

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 104.18.114.97:80 tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/2888-0-0x0000000000D80000-0x0000000000D9A000-memory.dmp

memory/2888-1-0x0000000075190000-0x0000000075940000-memory.dmp

memory/2888-2-0x0000000005880000-0x0000000005890000-memory.dmp

memory/2888-3-0x0000000005710000-0x0000000005716000-memory.dmp

memory/2888-4-0x0000000005730000-0x0000000005736000-memory.dmp

memory/2888-5-0x0000000008710000-0x0000000008C7A000-memory.dmp

memory/2888-6-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-7-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-9-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-11-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-13-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-15-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-17-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-19-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-21-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-23-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-27-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-25-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-29-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-31-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-33-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-35-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-37-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-39-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-41-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-43-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-45-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-47-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-49-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-51-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-53-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-55-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-57-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-59-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-61-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-63-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-65-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-67-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-69-0x0000000008710000-0x0000000008C74000-memory.dmp

memory/2888-938-0x0000000003040000-0x0000000003041000-memory.dmp

memory/2888-940-0x00000000072D0000-0x000000000731C000-memory.dmp

memory/2888-939-0x0000000009110000-0x0000000009612000-memory.dmp

memory/2888-941-0x0000000009BC0000-0x000000000A164000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac15ae1e49f4272e8d38b5fd5573ce35.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/1824-946-0x0000000075190000-0x0000000075940000-memory.dmp

memory/1824-947-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/2888-945-0x0000000075190000-0x0000000075940000-memory.dmp

memory/1824-948-0x0000000005880000-0x0000000005912000-memory.dmp

memory/1824-949-0x0000000005A40000-0x0000000005A50000-memory.dmp

memory/1824-950-0x0000000005960000-0x000000000596A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 db1db944d15a0e73b92e0110276a32bc
SHA1 52316cb8d918733518dc684bf8a308454d753a2d
SHA256 0729cb927eb057acf0cfb1392a7d6ea3904efca670e2b15fc0358dc604b296a9
SHA512 186d31c263602015cc91ee3b78f2bdd1d285d02a8dc2bf17e9e4fe132f3b96be14a2c2acd873054539e1dd3316b8d7c82c522a9ad51b5beb56dfca4672fbf85d

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 7d94b62e7228aa24d9d615ce543414d1
SHA1 2b30facea676f15c07fa9b9b5b6ca7839d3eb75a
SHA256 9b6213486ab54b419a2bba93b40fb081c481cd0a5aba53f3517338958a4a22d9
SHA512 b3c79aad0f96ccfc661f7da670c3cb1371271ea488fe07fa22f3cd75adc5696e6fd9e75078a737962d35e578e447c2b01d69b06daad38d75bd458e0292b9b6bd

memory/2936-971-0x000001E571BA0000-0x000001E571D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 a6635a39646b32c5504c4601765f3872
SHA1 c1e80bf3a60a0f0c059e96aba88957f1f14c9c1f
SHA256 363917fd8f2abd3877c6baac7a8572550519258e4bcd219cdd28a36837245eec
SHA512 0ef9a3fe068b1317ba2e18739aa8c9002d1be4a4fd789d27beceed9e4c9bd4c44e67e9ab91d1c67e429e4843a969434be3a318168b2a710d64c50487849e2831

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 bb851671c57c35af348ee2a2b6126953
SHA1 c4ba1ac94bc814c748af7db68a844431b90ccb3b
SHA256 5c0dabbdfabeefebf94162eb4759280feccbe166668a35bf16393f251eb28bde
SHA512 8de8eabc73305ef306b6a67f41d24baf6833caed2c73a6082f63e898ac3615dc324134dfb4ecae9df600be18ced3c63c87dfd1f0fc4be486c2c487115a3be1ef

memory/2936-981-0x00007FFF430E0000-0x00007FFF43BA1000-memory.dmp

memory/1824-984-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4832-982-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4832-983-0x0000000005090000-0x00000000050F6000-memory.dmp

memory/4832-980-0x00000000006A0000-0x0000000000832000-memory.dmp

memory/2936-985-0x000001E574430000-0x000001E574440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 550628b16ef8c4e27c4081950cf8fd66
SHA1 ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA256 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512 e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 098a6c62ab4520953a52d8c84053269e
SHA1 92ba08d9b34114f1d412b33d2d1f0190fe20426d
SHA256 97a03af43afdff2cb79e15f7de780684ded4bd31f87f5cdac821844ad99dab0d
SHA512 f55c35ff15f30820cf359d5dbf626a683e7ab2062d103b48d8869f60f0cfe9bb0d4ccd2efab9a835b32c09e0f7066b1071a3408ccea0c58e83c0821b244a106d

memory/4624-999-0x00007FFF430E0000-0x00007FFF43BA1000-memory.dmp

memory/4624-998-0x000001CB5E550000-0x000001CB5E56E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 ccb34b0822f97823271f54f8f3317aef
SHA1 63208b33284d3577aa08ea5cc2acdc6e2c2eba35
SHA256 4c8a524e7fa23252edaadca238b377a438a6240a45540b664662f5e58f539c6e
SHA512 e19a228bf4d8cf61276b2f2872255269c894a9299970c44d5827feed6606821dbd863d71a00d294444a44f98800a71713bd998a5ac050622f793771a859efd9f

memory/4832-1000-0x0000000005000000-0x0000000005010000-memory.dmp

memory/4624-1001-0x00007FFF430E0000-0x00007FFF43BA1000-memory.dmp

memory/2936-1002-0x000001E5765E0000-0x000001E576630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Data\Passwords.txt

MD5 36f6acc2229073f5bb4074cee73d1d5b
SHA1 b2adbb44350d984dff40c15fcbbeb3379c7ec0e5
SHA256 8a947e0921f9cfada15c19a72f0ff31b38ad4602106c6ee95685d61c223c9a35
SHA512 da8b627bd674ceb0da7e30ba543ab82ab694d3f6e0474b48ca343ee74e20147440d2205b6ce66f5caa2a39061dedd2ca4146e263fac9f146a228c5b5cba4aaad

C:\Users\Admin\AppData\Local\Temp\Data\Histories.txt

MD5 412ec159e4b14be1ca93db473e80acc2
SHA1 8909b6f7fc8715a749270b6ceb8f05f823f59fd3
SHA256 eaff9c24df526e9c884832130bf6de9182fd96f3dcdba33e8e5e7a4ed37f1bbe
SHA512 a90524333fd34d44f5784a90ada19904ea7379de26cae08ffdfd2ee25b3fd5b36c2cbcf7a7e6fc4ff734680ca1ff177ed42df1d4f5583d6a1a89d622c183f0b4

C:\Users\Admin\AppData\Local\Temp\Data\Autofills.txt

MD5 6be6fdca0cfa94635b8689b2b0bf2bee
SHA1 379c61029b5443c3d3df7c770423e40618b36d15
SHA256 5bc3a7ced261f235f4a30797ad96f803c9e022a95ad6bc7fedc06d0fd2a0abeb
SHA512 7955fb48977c971563b10420e379ebea01e42582a8dfe2719ec756dda7e757168031a58a3c9fef061c0abb6c799579f7c8b46de4fc5b4ab3519d735092848cd8

memory/2936-1046-0x00007FFF430E0000-0x00007FFF43BA1000-memory.dmp

memory/4832-1049-0x00000000057D0000-0x00000000057D8000-memory.dmp

memory/4832-1048-0x00000000057A0000-0x00000000057C6000-memory.dmp

memory/4832-1047-0x0000000005710000-0x00000000057A2000-memory.dmp

memory/4832-1051-0x0000000006600000-0x0000000006608000-memory.dmp

memory/4832-1052-0x0000000006620000-0x000000000663E000-memory.dmp

memory/4832-1050-0x00000000065F0000-0x00000000065FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

MD5 7e44134c2971c088e32a25bb7a4cfc27
SHA1 0ae6c37a546699d871e60449e9225a79ec71ac53
SHA256 8440b832e76e67a1efa1e9cb714f4f9a44e8085ab91de1e42b584ab54d0ac775
SHA512 902b8fc80eb3aacd3c05cab653a26e55d04559b631b718412569d02981d3fa434d78d152b826bd70763e560f22f800c9d67deed2edb0f219b47333bb0db0de8a

C:\Users\Admin\AppData\Local\a656771e61d467c3c5fb7c927bb190f1\Admin@FMAEQIOU_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4832-1119-0x0000000075190000-0x0000000075940000-memory.dmp