Analysis Overview
SHA256
c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149
Threat Level: Known bad
The file ac15ae1e49f4272e8d38b5fd5573ce35 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Stealerium
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Modifies system certificate store
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 03:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 03:58
Reported
2024-01-30 04:01
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealerium
ZGRat
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CamSnap.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1260 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2796 -s 712
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | store23.gofile.io | udp |
| US | 172.111.38.92:443 | store23.gofile.io | tcp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 162.159.130.233:443 | discordapp.com | tcp |
Files
memory/1260-0-0x0000000001300000-0x000000000131A000-memory.dmp
memory/1260-1-0x0000000074960000-0x000000007504E000-memory.dmp
memory/1260-2-0x0000000004B50000-0x0000000004B90000-memory.dmp
memory/1260-3-0x0000000000250000-0x0000000000256000-memory.dmp
memory/1260-4-0x0000000000270000-0x0000000000276000-memory.dmp
memory/1260-5-0x0000000007CC0000-0x000000000822A000-memory.dmp
memory/1260-6-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-7-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-9-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-11-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-13-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-15-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-17-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-19-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-21-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-23-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-25-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-27-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-29-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-31-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-35-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-33-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-37-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-39-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-43-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-45-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-41-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-49-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-51-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-53-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-47-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-55-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-57-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-61-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-63-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-65-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-67-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-69-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-59-0x0000000007CC0000-0x0000000008224000-memory.dmp
memory/1260-938-0x0000000000460000-0x0000000000461000-memory.dmp
memory/1260-940-0x0000000000590000-0x00000000005DC000-memory.dmp
memory/1260-939-0x00000000084C0000-0x00000000089C2000-memory.dmp
memory/1260-954-0x0000000074960000-0x000000007504E000-memory.dmp
memory/2704-958-0x0000000074270000-0x000000007495E000-memory.dmp
memory/2704-957-0x0000000000400000-0x0000000000C0A000-memory.dmp
memory/2704-959-0x0000000005510000-0x0000000005550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
| MD5 | 3987fc707ff5370a67d6480c00b1769f |
| SHA1 | 3d20c1558d8291ff65d91b201b259ee0a3dcbe5d |
| SHA256 | 25101656f4e7f74c0f9a32fb8f7c6cd9f23523e40dc9166b86f4a8f2b8236644 |
| SHA512 | 72a52ac37d454053bbd4bf7d989482601524a0544a961bc88569ad62dbf1de9b24cd54fb59b1cf3d3d8f5cca9d1a0c7944399b0a80b6433872a08e8b25d20624 |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 25b2e18f1b3139316ae257ae9e14db25 |
| SHA1 | 395f087ebe9eebae191020a2a94de10361f4d980 |
| SHA256 | d4c9179981b81f25f4a9ce969f08d21949e9b384e3ef83425b76d240e1c6d168 |
| SHA512 | a0f60becc10e375d670c3ea1151113deea7430b39a72805b7df0ab2af6194d4786c1af858151dc814af481d3963038ad6a412218479105d943393dbafcb90b74 |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 468acfd8e7a6bd0d7ee5b7c7e9fc2326 |
| SHA1 | 9b1dbcccf56babb3361b91e05ade3cd4fb59e06f |
| SHA256 | 81d8442e67dabd490b108f55ea9500ef2174e3d765d6e471b205b8fd9fc68762 |
| SHA512 | c2bdb698a39b9b32d1e8f90ba293623624b279ce76c90351c74fab4ae31072daa1f2f1abe443e55f0ac71862b07171d45728bc6019afb64929d0333d214ea8d6 |
memory/2704-981-0x0000000074270000-0x000000007495E000-memory.dmp
memory/896-980-0x0000000074270000-0x000000007495E000-memory.dmp
memory/896-979-0x0000000000140000-0x00000000002D2000-memory.dmp
memory/2376-982-0x0000000000970000-0x0000000000AE8000-memory.dmp
\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 51b0bca51ca74d831ee1714d72f4f82a |
| SHA1 | c45951f29491c64ad3847b9fc23741806c7db66d |
| SHA256 | 3a1cb2eb8e1f6195a3c17220efef67dd84c746ea5617c103eae6d21f188f9d44 |
| SHA512 | cfa62537b800a95ce79c04ffd7be8ab3997688527b9e3ffa5f80171d0c91b97ddc463181f8749ea40f3a4b3e0ad1b288b1808f5f46c219b93ae0c49056c66c47 |
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
| MD5 | c4a2268064694b49bd6488c02cf529c6 |
| SHA1 | 862e09bc1b0014a2b6dea6b6ab5bdafe28291307 |
| SHA256 | 7c6ccf9ad96d0996df00fdc954aef16c076e362525f28734d5c927afd76d32a9 |
| SHA512 | 2824eb99cff9ccfa89ca84518e5dbba01049cd174062a798f2996f0a4f9ee40bc022a902bff06d471ceff56d01ee7f48bd3d58dc15fb802eefff855766f0a906 |
\Users\Admin\AppData\Local\Temp\@dr@[email protected]
| MD5 | 56444d83014c9ab8d4c1fd75a090573e |
| SHA1 | ab88bc95077fcc8ba01c45a5b1255d1e13b247d2 |
| SHA256 | b3b724b62af1d56eba721cc92a86f0698810f069f8b1dc3637209256bf8164ad |
| SHA512 | 1c7a956f29627366a876d2c3714f48eecd2bcf7a1f29ec93513089ed392721346603e73162867f6b69167df7f4176161a9366004fff1c5544bba12019436a271 |
memory/2376-983-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/2376-984-0x000000001C050000-0x000000001C0D0000-memory.dmp
memory/2796-991-0x0000000000CF0000-0x0000000000D0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
| MD5 | 550628b16ef8c4e27c4081950cf8fd66 |
| SHA1 | ab11427c02cb53b70816b06d5a950b5f52c935eb |
| SHA256 | 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa |
| SHA512 | e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01 |
memory/2796-992-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
memory/896-993-0x0000000004570000-0x00000000045B0000-memory.dmp
memory/896-998-0x00000000006B0000-0x00000000006D6000-memory.dmp
memory/896-999-0x00000000005A0000-0x00000000005A8000-memory.dmp
memory/896-997-0x0000000004290000-0x0000000004322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabA01.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarA33.tmp
| MD5 | b4fcb5edddc0f75933bddac35e0db0ab |
| SHA1 | 22e1f640798959f312dee7fe7c36e8b4021d256a |
| SHA256 | 0bb006acb80281859bc82b95907a741307d2b6573ad9b436e39ab822ab640bce |
| SHA512 | 6fef2b7e85651d49242b6e4dbc57743f3ef5741b05133e3a0d8085527143ae5d073fa239cb542204c12b476dce22ee12098dde391f372e416fac843177857189 |
memory/896-1035-0x0000000002130000-0x0000000002138000-memory.dmp
memory/896-1036-0x00000000043B0000-0x00000000043CE000-memory.dmp
memory/896-1034-0x0000000002120000-0x000000000212A000-memory.dmp
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/896-1115-0x0000000074270000-0x000000007495E000-memory.dmp
memory/896-1116-0x0000000004570000-0x00000000045B0000-memory.dmp
memory/2376-1119-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\Apps.txt
| MD5 | 93df10792e8a5a5afdba1e3cdf7238ae |
| SHA1 | f191d257e69bf44686383ae25a079062c622cd4f |
| SHA256 | 3563af086891aa59852c419854e818366dbc0e2c5cdedb3b1d0db1e90a6442e3 |
| SHA512 | 377d57cac7414c3cc8239599a9890eaba46bfed1bf8028afe42f5043243c43ee4dc123bc669255a04df5ae249fce906baf0e4043469865e6cf8f3a46814e3a9d |
memory/896-1162-0x0000000006600000-0x000000000667A000-memory.dmp
memory/2376-1163-0x000000001C050000-0x000000001C0D0000-memory.dmp
memory/2796-1164-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\Debug.txt
| MD5 | a2efde5513517a0ff1b435cadd9ad5b8 |
| SHA1 | b91abb63ad8bc8ee7d71d93d73f1ee64d775a409 |
| SHA256 | 3945e21d9a7fa10ba68d16f7c032bac739437462a45538fb7d376500e04e0418 |
| SHA512 | 551b7c85d7ff9fbcbf1e5fba2c098f6446f9d834f903580f52254bfb1694277d77bb310e30ef5fa5e12334b2696585686b14a949644dddeddc6cee3707377d6f |
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\ProductKey.txt
| MD5 | cad6c6bee6c11c88f5e2f69f0be6deb7 |
| SHA1 | 289d74c3bebe6cca4e1d2e084482ad6d21316c84 |
| SHA256 | dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0 |
| SHA512 | e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097 |
memory/896-1231-0x0000000005A10000-0x0000000005AC2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6ee8691f69adf3daed94e102a45e79dc |
| SHA1 | 8c82055615fe3fb35e985d8c81b3fc2ee9253342 |
| SHA256 | d2cb498f1f8e7f89d5e6448e4182bf97ba2458aa9a4bde76fa46e623ef7772ed |
| SHA512 | 20920364291fa3914ac95a7ad9573ab0ebe5b68453d5f0c8ce576ea00dffccb8e5647742515730dce5e02d8e7586c4fb3ce94611201761d055ca7c162ec546e9 |
memory/896-1315-0x0000000004570000-0x00000000045B0000-memory.dmp
C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\msgid.dat
| MD5 | a4350f1904865bc46f3d72a225592712 |
| SHA1 | 5677e63c7d182ae35bada0c77c91e7515828da43 |
| SHA256 | 516fd2e78c32dd8269d8816f2d0be0f4e26565eb931a0b6fe08de603ee2a7747 |
| SHA512 | 68eda9663995b10267a47a94aac4ee93bcb1b2358bc819ec5a2fbedced01bffda07a18e6af9192222490339c0f6f76e9fea1dd27a7b8c67673e1aab52c010e5a |
memory/896-1328-0x0000000004570000-0x00000000045B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 03:58
Reported
2024-01-30 04:01
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealerium
ZGRat
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CamSnap.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2124 set thread context of 4112 | N/A | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | magic.poisontoolz.com | udp |
| US | 104.21.10.90:443 | magic.poisontoolz.com | tcp |
| US | 8.8.8.8:53 | 90.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| US | 152.199.19.74:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.38.43.18:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store8.gofile.io | udp |
| US | 206.168.191.31:443 | store8.gofile.io | tcp |
| US | 8.8.8.8:53 | 18.43.38.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.191.168.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/2124-0-0x00000000004F0000-0x000000000050A000-memory.dmp
memory/2124-1-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/2124-2-0x0000000001000000-0x0000000001010000-memory.dmp
memory/2124-3-0x0000000002980000-0x0000000002986000-memory.dmp
memory/2124-4-0x0000000004EB0000-0x0000000004EB6000-memory.dmp
memory/2124-5-0x0000000007E80000-0x00000000083EA000-memory.dmp
memory/2124-6-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-7-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-9-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-11-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-13-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-15-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-17-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-19-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-21-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-23-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-25-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-27-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-29-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-31-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-33-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-35-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-37-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-39-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-41-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-43-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-45-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-47-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-49-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-51-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-53-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-55-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-57-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-59-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-61-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-63-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-65-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-67-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-69-0x0000000007E80000-0x00000000083E4000-memory.dmp
memory/2124-938-0x00000000028C0000-0x00000000028C1000-memory.dmp
memory/2124-940-0x0000000006B80000-0x0000000006BCC000-memory.dmp
memory/2124-939-0x0000000008880000-0x0000000008D82000-memory.dmp
memory/2124-941-0x0000000009330000-0x00000000098D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac15ae1e49f4272e8d38b5fd5573ce35.exe.log
| MD5 | c3941d9fa38f1717d5cecd7a2ca71667 |
| SHA1 | 33b5362675383b58b4166ed9f9a61e5aa6768d2e |
| SHA256 | f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256 |
| SHA512 | 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45 |
memory/2124-945-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/4112-946-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/4112-947-0x0000000000400000-0x0000000000C0A000-memory.dmp
memory/4112-948-0x0000000005600000-0x0000000005692000-memory.dmp
memory/4112-949-0x00000000055E0000-0x00000000055F0000-memory.dmp
memory/4112-950-0x00000000057B0000-0x00000000057BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
| MD5 | 835746629f9f6238a66f6507d224c22c |
| SHA1 | ee363c7eea9474ddee4d5e8324172a058f4915ce |
| SHA256 | 073ba4f196478d20e734dc7faf7ff05ff3084dca07cde208bc8cdaee37be8b79 |
| SHA512 | 49ce4d4eb71e7fb14c2ceec797cf31b6d1e49d664b47e8908e6f5a96c4d856459db2a958d7342b7f9546552400e8a3281af9b5fc1d8f6c8825c1a9f456fbccd8 |
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
| MD5 | 50aa33d254e099b513f28351c145146c |
| SHA1 | c29cf960262284f05bbdfcd51250176b0add3a69 |
| SHA256 | 99b568e6c3a7a3e3d4b3e5a4c25cbb30017c3098fb1b74a73f797411cb5bd926 |
| SHA512 | ae211e456b9ebe1677b9f68f3274319e972ea8387713024732adaa483feb00ac0ef2abd6ac8087da2e9862f1c48933d19dee9dbfea977205ebef0282b8cdeeae |
C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
| MD5 | 35547de351aa8742b7ed30cc384b56a6 |
| SHA1 | 3e2279ec8ecb44d22ea6a382a2919710c38aefa7 |
| SHA256 | 16526b52c0cbe5d1d332730de3180069270444c2a7944ba1a54d8652434cb7f8 |
| SHA512 | d383d134ce0ad323d45f03d8454cf48c4d1d641152cf6922f30b6f63c106e709e495d19953b618706d3dc38296bad1c5d51fd5c1dd6ccfc454304d8c9bde669a |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 62df32b363188a54c8ebe9c0309cdbdd |
| SHA1 | e0ca65cea1d87b2e833ada6c66ea80419cd073e4 |
| SHA256 | 41a261d6fc3ed8d39cded15cfceb4e6cdcf418cf41fda6607676b92f25fecd8d |
| SHA512 | 22a5189380017270f3e824b7bdadf6c3779b8b2bf73471634b5f0f91dbbad3c05305db0fefedb79802625ac79f088a874fef46f396cc2093e58b9b878e5371a7 |
memory/3324-977-0x000002C0B5250000-0x000002C0B53C8000-memory.dmp
memory/3324-981-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp
memory/1080-980-0x0000000000640000-0x00000000007D2000-memory.dmp
memory/1080-983-0x0000000005040000-0x00000000050A6000-memory.dmp
memory/1080-982-0x00000000747D0000-0x0000000074F80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | a456bcb56e906e99266926e2ef766dd8 |
| SHA1 | a3a02328b2d17820802f421710b7f2ab90ee92d1 |
| SHA256 | 5645ca43a80c0573c68cc617cfea74f515c59aadcaf52ca9aee07000258583f0 |
| SHA512 | 1642c3199fa43e7238898f78c5b3482d727dc11502c380a20f961f2eaecec3a7eefaa6fc9af82c988be060a4b8f460a2e28b81da0a7a59028fb2ebf8fa987123 |
C:\Users\Admin\AppData\Local\Temp\build.exe
| MD5 | 0a0264a55fe9d32837d1e0bab813c7b6 |
| SHA1 | 6ab6aad1da38a0257cb75ea6126fe4963431a51d |
| SHA256 | d6ba5a179fc788ffb5fb39e1baa195baf79d4dfa2216d62b21638c79dbd186ad |
| SHA512 | e963ad3d0382f582c9b178062f4712e5f01809cbfd4698c3895e7c72b422b3ace247094d53a21aba1a7ee205da23b0519179f44e6a40017c3cee221f3dd3b487 |
memory/4112-984-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/3324-985-0x000002C0CFBC0000-0x000002C0CFBD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
| MD5 | 550628b16ef8c4e27c4081950cf8fd66 |
| SHA1 | ab11427c02cb53b70816b06d5a950b5f52c935eb |
| SHA256 | 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa |
| SHA512 | e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01 |
memory/4172-998-0x00000132EFFC0000-0x00000132EFFDE000-memory.dmp
memory/4172-999-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp
memory/1080-1000-0x00000000050F0000-0x0000000005100000-memory.dmp
memory/4172-1001-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp
memory/3324-1002-0x000002C0D1C50000-0x000002C0D1CA0000-memory.dmp
memory/3324-1046-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp
memory/1080-1049-0x0000000005970000-0x0000000005978000-memory.dmp
memory/1080-1048-0x0000000005940000-0x0000000005966000-memory.dmp
memory/1080-1047-0x00000000058B0000-0x0000000005942000-memory.dmp
memory/1080-1051-0x00000000067A0000-0x00000000067A8000-memory.dmp
memory/1080-1050-0x0000000006790000-0x000000000679A000-memory.dmp
memory/1080-1052-0x00000000067C0000-0x00000000067DE000-memory.dmp
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Process.txt
| MD5 | 5aef8be9f6de9a0dec3bf77029fe7eb1 |
| SHA1 | d56cee7e3115ee5560deac679def32409969ec27 |
| SHA256 | 5d8d6369f0361650f874a9f6bd56bcf831c0643490f2e31a2028989ebb876e1e |
| SHA512 | fcb6f8277b9421dae5891f07cb5365d52677d2bc2056110ae1b315f92516c5e903acedffb6bfcbe4b7adcbf18b55349affe7133a180254acead4ec2d41714eba |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Apps.txt
| MD5 | 763a12574ed1e1d9b09c6c442d989861 |
| SHA1 | e9eb814c5c2f7624cafffcea0f58257cec5ac055 |
| SHA256 | def4af4d5c0731ec94e1d91037d25a801c2ed5c3b4f5ee45fdc132ca4aca7fa2 |
| SHA512 | ac70d263be7dfa6cbb1a2c1cbc1f081c510ec8df207fb6564860038bb801a6bb2e6f93870ae41fe79b75e2367c21d20d6e8ddea01a9b498704d0892ea102e621 |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Apps.txt
| MD5 | 0af56b2246b9927a3910062121d1b3d8 |
| SHA1 | e4dd70a199a838f178fe434583a6de5ef0aaad38 |
| SHA256 | 1e7de68a00062bb4b2d3626f48d7d40d87b11077e7ac45dd5b41a01cbc520129 |
| SHA512 | eaa77dec4ce04b63aa76fec44b932ab5d646542e2988566af121256201a2be1423144494fcc42eec36353573c75371f99d5d16243c56cf3db8191a81dfabf3c6 |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Apps.txt
| MD5 | 109200e0ebbbb8555161615ac6f7b282 |
| SHA1 | 4a128739efbf0eaed157f68eda5d505690dc643b |
| SHA256 | 464943501c3413d695b38a23e9c9469dcbfd5f6c6b707e5f24ff4cbd804e7e0b |
| SHA512 | dd70f3a0be9746169a0c8b2b6a9769bdadd9cb2d4f6fc63daf4fddc289bd872874dc3f969d1b69cb1d33b22c74afbea622ec59041ef8cc767f329b990eefacae |
memory/1080-1234-0x00000000747D0000-0x0000000074F80000-memory.dmp
memory/1080-1237-0x00000000050F0000-0x0000000005100000-memory.dmp
memory/1080-1240-0x00000000068B0000-0x000000000692A000-memory.dmp
memory/1080-1244-0x00000000050F0000-0x0000000005100000-memory.dmp
memory/1080-1313-0x0000000006BA0000-0x0000000006C52000-memory.dmp
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\ProductKey.txt
| MD5 | 71eb5479298c7afc6d126fa04d2a9bde |
| SHA1 | a9b3d5505cf9f84bb6c2be2acece53cb40075113 |
| SHA256 | f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3 |
| SHA512 | 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Debug.txt
| MD5 | 601a1e30864778b9226a55dc3bc58d12 |
| SHA1 | 2b83fd559adfa7a30dc50419d0b5abea7d3fddb3 |
| SHA256 | be164dd16b0e17fd0a4bbdc2e05c759ee332893542ccf6e2688fab52263bc131 |
| SHA512 | 49604504ae3b70ad0c6efc6d20bc67ea3483ee4148ba695ee7c91a0f0c2e180a0965e3d8d36eb01c2811ac356a699ad284ad96fa1008ae97a9993f712b130830 |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\Directories\Videos.txt
| MD5 | 1fddbf1169b6c75898b86e7e24bc7c1f |
| SHA1 | d2091060cb5191ff70eb99c0088c182e80c20f8c |
| SHA256 | a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733 |
| SHA512 | 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d |
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\Directories\OneDrive.txt
| MD5 | 966247eb3ee749e21597d73c4176bd52 |
| SHA1 | 1e9e63c2872cef8f015d4b888eb9f81b00a35c79 |
| SHA256 | 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e |
| SHA512 | bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa |
memory/1080-1315-0x0000000006AB0000-0x0000000006AD2000-memory.dmp
memory/1080-1316-0x0000000007FD0000-0x0000000008324000-memory.dmp
C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\msgid.dat
| MD5 | 14234619d78d1d13122dc25a30dc94ab |
| SHA1 | 553bb39f46c45a06afdaf610dda0805c4cf26f3f |
| SHA256 | 7ca83b1254b854d41741e7c923fa389dc7dda149f070603b653b9fb5e7787aa1 |
| SHA512 | f0d35d71c4b74fa4787f742fb072135030d9aa24e40e38bbd73108c1a54c8b7f06e607af404633e34522b466d11ef04889cfca094592ade3be26a6fee65925e4 |
memory/1080-1328-0x00000000050F0000-0x0000000005100000-memory.dmp