Malware Analysis Report

2024-10-19 06:53

Sample ID 240130-egsgnahcep
Target 31118351b8b0db68e9c1bc3ad1da8e7c.exe
SHA256 1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2
Tags
stealerium zgrat collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2

Threat Level: Known bad

The file 31118351b8b0db68e9c1bc3ad1da8e7c.exe was found to be: Known bad.

Malicious Activity Summary

stealerium zgrat collection rat spyware stealer

Detect ZGRat V1

Stealerium

ZGRat

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Checks processor information in registry

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 03:55

Reported

2024-01-30 03:57

Platform

win7-20231215-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2468 set thread context of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1392 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1968 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1968 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1968 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1968 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1968 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1968 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1968 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1968 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1392 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2788 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2788 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2788 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1392 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\WerFault.exe
PID 1392 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\WerFault.exe
PID 1392 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\WerFault.exe
PID 1392 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

"C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 2688

Network

Country Destination Domain Proto
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 104.18.114.97:80 icanhazip.com tcp

Files

memory/2468-0-0x0000000000820000-0x0000000000A9E000-memory.dmp

memory/2468-1-0x0000000074120000-0x000000007480E000-memory.dmp

memory/2468-2-0x0000000004AF0000-0x0000000004B30000-memory.dmp

memory/2468-3-0x0000000004E10000-0x000000000501A000-memory.dmp

memory/2468-4-0x0000000006370000-0x000000000657A000-memory.dmp

memory/2468-5-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-8-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-6-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-10-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-14-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-12-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-16-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-20-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-24-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-22-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-18-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-26-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-28-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-30-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-32-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-34-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-38-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-36-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-40-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-42-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-44-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-46-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-48-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-52-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-54-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-50-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-56-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-58-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-60-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-62-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-64-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-66-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-68-0x0000000006370000-0x0000000006574000-memory.dmp

memory/2468-937-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/2468-938-0x0000000006740000-0x00000000068E2000-memory.dmp

memory/2468-939-0x0000000002030000-0x000000000207C000-memory.dmp

memory/2468-952-0x0000000074120000-0x000000007480E000-memory.dmp

memory/1392-957-0x0000000000400000-0x0000000000592000-memory.dmp

memory/1392-956-0x0000000074120000-0x000000007480E000-memory.dmp

memory/1392-958-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/1392-962-0x0000000000E20000-0x0000000000EB2000-memory.dmp

memory/1392-963-0x0000000000640000-0x0000000000666000-memory.dmp

memory/1392-964-0x0000000000670000-0x0000000000678000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA852.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA894.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1392-999-0x0000000000B60000-0x0000000000B6A000-memory.dmp

memory/1392-1000-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

memory/1392-1001-0x0000000000D30000-0x0000000000D4E000-memory.dmp

memory/1392-1075-0x0000000004F30000-0x0000000004F70000-memory.dmp

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\System\Apps.txt

MD5 b9f3ff2f21802bff33fcb17dae5d17de
SHA1 e33e900c78f8f87dbdbe7b362eee95014d677511
SHA256 a1910d820725246f1709cf322390e65117be0a1f8e892675fd270b596ffc4ad9
SHA512 800ebcc00b38415a73b03000361914d63ecaac15ac242421a4f46877cfa85672add8aec0a9ee1466e191887718bc40b2e2519490e88a46ed76dee548bd936bdd

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\System\Apps.txt

MD5 90e05e64959dcc96ed6dfb89d65334a6
SHA1 76840a3fb0a3a37a497a2232912753f9a9e5733a
SHA256 5b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876
SHA512 f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510

memory/1392-1120-0x0000000005C00000-0x0000000005C7A000-memory.dmp

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\System\ProductKey.txt

MD5 cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1 289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256 dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512 e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\System\Debug.txt

MD5 81371eb8887a2b6d3e1f7ce85896f0f0
SHA1 0ee463973c122061e4fc3798332a98a095486909
SHA256 d3d84c807876492074fe9017506614832d16c9d03f0f349284be8f798189974a
SHA512 dbf8b9ddc859c43ba8357208429cc7a6ead110382bea359dbddd5f4bf80055adf525ede9d34c02d8fcf659bba473c09aa844f0e38c056a31cc5032acf962fabf

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

memory/1392-1176-0x0000000074120000-0x000000007480E000-memory.dmp

memory/1392-1177-0x0000000004F30000-0x0000000004F70000-memory.dmp

memory/1392-1178-0x0000000004F30000-0x0000000004F70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 03:55

Reported

2024-01-30 03:57

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 1692 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe
PID 2900 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5060 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5060 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5060 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5060 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5060 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5060 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5060 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2888 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2888 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2888 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2888 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2888 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

"C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.178.66.33:443 api.gofile.io tcp
US 8.8.8.8:53 store8.gofile.io udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1692-1-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/1692-0-0x0000000000800000-0x0000000000A7E000-memory.dmp

memory/1692-2-0x00000000053A0000-0x00000000053B0000-memory.dmp

memory/1692-3-0x0000000005420000-0x000000000562A000-memory.dmp

memory/1692-4-0x0000000006860000-0x0000000006A6A000-memory.dmp

memory/1692-6-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-10-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-8-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-5-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-12-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-14-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-16-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-18-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-20-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-22-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-24-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-26-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-28-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-30-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-32-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-34-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-36-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-40-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-42-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-44-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-48-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-52-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-54-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-50-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-60-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-58-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-56-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-46-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-38-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-62-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-64-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-68-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-66-0x0000000006860000-0x0000000006A64000-memory.dmp

memory/1692-937-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/1692-939-0x0000000005770000-0x00000000057BC000-memory.dmp

memory/1692-938-0x0000000005890000-0x0000000005A32000-memory.dmp

memory/1692-940-0x0000000007A70000-0x0000000008014000-memory.dmp

memory/2900-947-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2900-946-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/2900-944-0x0000000000400000-0x0000000000592000-memory.dmp

memory/1692-945-0x0000000075330000-0x0000000075AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\31118351b8b0db68e9c1bc3ad1da8e7c.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/2900-948-0x0000000005730000-0x0000000005740000-memory.dmp

memory/2900-954-0x0000000005C90000-0x0000000005C98000-memory.dmp

memory/2900-953-0x0000000005C60000-0x0000000005C86000-memory.dmp

memory/2900-952-0x0000000005BD0000-0x0000000005C62000-memory.dmp

memory/2900-957-0x0000000006D40000-0x0000000006D5E000-memory.dmp

memory/2900-956-0x0000000006D20000-0x0000000006D28000-memory.dmp

memory/2900-955-0x0000000006D10000-0x0000000006D1A000-memory.dmp

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2900-1006-0x0000000007670000-0x0000000007702000-memory.dmp

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\Process.txt

MD5 3c041b2c43ea3fa8828531752d9d49c8
SHA1 c5b043a18d7d6241a3723f695dcee9c3592e61b7
SHA256 a2b076c8d6a90494575fd72634950a8a935508da60c94af948ca122f6c3ce423
SHA512 0ae3d3bbd3d1f6c1f27d9c71aadcbcb81566911c7ca693b642ef7f0dfbdf056831a3c49edd7421011a617a42786114bdd86e562851cc5d7de4198255e1cfe25e

memory/2900-1146-0x0000000005730000-0x0000000005740000-memory.dmp

memory/2900-1149-0x0000000006E30000-0x0000000006EAA000-memory.dmp

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\Apps.txt

MD5 fc1ec0cabb320b59693fa9a94fbbb93b
SHA1 9ce87f376d9c0d241a100651135143e57bd023e1
SHA256 b2a09980fccbdaa79f42dde31228d126f41fe2b0b32545e0fafae0ba1c5ba06d
SHA512 b6de2cc74128e8c524babbc4e27972d0a567016173fb88fa3da4ebbf1e11555e76c1d5a2e1cccaed9024e5b88ce05cb22b33a21f13f53dfd6bee525c2e51f14d

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\Debug.txt

MD5 5d9d558d32e85594270bd75e186cad1d
SHA1 c973d2d8acdfefddc3923307da263956cc17704a
SHA256 a9b91eb4ce0b80379e6f24850efd92f81288c7b0ed48ea6141288f50586dfaa5
SHA512 97d14a1f08f3994201d90f1218ac8ca3703857b6c39eca70e56bd9a8a0373318a85fd356842042b06fc75ca707e6dc417910843be02e22c470501b787ea61af3

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\Admin@AVCIKYMG_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/2900-1222-0x00000000071B0000-0x0000000007262000-memory.dmp

memory/2900-1224-0x0000000005730000-0x0000000005740000-memory.dmp

memory/2900-1225-0x0000000006F00000-0x0000000006F22000-memory.dmp

memory/2900-1226-0x0000000008590000-0x00000000088E4000-memory.dmp

C:\Users\Admin\AppData\Local\bac4ad4dbbfab9c06d79ac59f382bdb0\msgid.dat

MD5 8ff206bf155528e619cfd07ebac2d138
SHA1 1f06982c13bb37fdf4f9dd2e61af74f7ad6a0ed8
SHA256 f19ccfd5d45bd3857e407cddc6304078dc45d8ca36f1467b701cdd934e93d107
SHA512 ffef90c962f2ff8bafda1256fc386f0bc6f98b1b10f07001feaad34a4f29df52b8bc28fad6cec80b7296d5cf4fdd3b908e93ac88a4532afb96f0b1b2bc7eee68

memory/2900-1238-0x0000000007370000-0x000000000737A000-memory.dmp

memory/2900-1239-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/2900-1240-0x0000000005730000-0x0000000005740000-memory.dmp

memory/2900-1241-0x0000000005730000-0x0000000005740000-memory.dmp

memory/2900-1242-0x0000000005730000-0x0000000005740000-memory.dmp