Malware Analysis Report

2024-10-23 19:19

Sample ID 240130-ejqqvahcgl
Target ac15ae1e49f4272e8d38b5fd5573ce35
SHA256 c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149
Tags
stealerium zgrat collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149

Threat Level: Known bad

The file ac15ae1e49f4272e8d38b5fd5573ce35 was found to be: Known bad.

Malicious Activity Summary

stealerium zgrat collection rat spyware stealer

Detect ZGRat V1

ZGRat

Stealerium

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 03:58

Reported

2024-01-30 04:01

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1260 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 1260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2704 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2704 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2704 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2704 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 2704 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2704 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2704 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2704 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 2376 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2376 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2376 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 2796 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 2796 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 2796 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CamSnap.exe C:\Windows\system32\WerFault.exe
PID 896 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 436 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 436 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 436 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 436 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 436 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 436 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 436 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 436 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 436 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 436 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 436 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 436 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 896 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 896 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2296 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2296 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2296 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2296 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2796 -s 712

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.130.233:443 discordapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 store23.gofile.io udp
US 172.111.38.92:443 store23.gofile.io tcp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.130.233:443 discordapp.com tcp

Files

memory/1260-0-0x0000000001300000-0x000000000131A000-memory.dmp

memory/1260-1-0x0000000074960000-0x000000007504E000-memory.dmp

memory/1260-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/1260-3-0x0000000000250000-0x0000000000256000-memory.dmp

memory/1260-4-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1260-5-0x0000000007CC0000-0x000000000822A000-memory.dmp

memory/1260-6-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-7-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-9-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-11-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-13-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-15-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-17-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-19-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-21-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-23-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-25-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-27-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-29-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-31-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-35-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-33-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-37-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-39-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-43-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-45-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-41-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-49-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-51-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-53-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-47-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-55-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-57-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-61-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-63-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-65-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-67-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-69-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-59-0x0000000007CC0000-0x0000000008224000-memory.dmp

memory/1260-938-0x0000000000460000-0x0000000000461000-memory.dmp

memory/1260-940-0x0000000000590000-0x00000000005DC000-memory.dmp

memory/1260-939-0x00000000084C0000-0x00000000089C2000-memory.dmp

memory/1260-954-0x0000000074960000-0x000000007504E000-memory.dmp

memory/2704-958-0x0000000074270000-0x000000007495E000-memory.dmp

memory/2704-957-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/2704-959-0x0000000005510000-0x0000000005550000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 3987fc707ff5370a67d6480c00b1769f
SHA1 3d20c1558d8291ff65d91b201b259ee0a3dcbe5d
SHA256 25101656f4e7f74c0f9a32fb8f7c6cd9f23523e40dc9166b86f4a8f2b8236644
SHA512 72a52ac37d454053bbd4bf7d989482601524a0544a961bc88569ad62dbf1de9b24cd54fb59b1cf3d3d8f5cca9d1a0c7944399b0a80b6433872a08e8b25d20624

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 25b2e18f1b3139316ae257ae9e14db25
SHA1 395f087ebe9eebae191020a2a94de10361f4d980
SHA256 d4c9179981b81f25f4a9ce969f08d21949e9b384e3ef83425b76d240e1c6d168
SHA512 a0f60becc10e375d670c3ea1151113deea7430b39a72805b7df0ab2af6194d4786c1af858151dc814af481d3963038ad6a412218479105d943393dbafcb90b74

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 468acfd8e7a6bd0d7ee5b7c7e9fc2326
SHA1 9b1dbcccf56babb3361b91e05ade3cd4fb59e06f
SHA256 81d8442e67dabd490b108f55ea9500ef2174e3d765d6e471b205b8fd9fc68762
SHA512 c2bdb698a39b9b32d1e8f90ba293623624b279ce76c90351c74fab4ae31072daa1f2f1abe443e55f0ac71862b07171d45728bc6019afb64929d0333d214ea8d6

memory/2704-981-0x0000000074270000-0x000000007495E000-memory.dmp

memory/896-980-0x0000000074270000-0x000000007495E000-memory.dmp

memory/896-979-0x0000000000140000-0x00000000002D2000-memory.dmp

memory/2376-982-0x0000000000970000-0x0000000000AE8000-memory.dmp

\Users\Admin\AppData\Local\Temp\build.exe

MD5 51b0bca51ca74d831ee1714d72f4f82a
SHA1 c45951f29491c64ad3847b9fc23741806c7db66d
SHA256 3a1cb2eb8e1f6195a3c17220efef67dd84c746ea5617c103eae6d21f188f9d44
SHA512 cfa62537b800a95ce79c04ffd7be8ab3997688527b9e3ffa5f80171d0c91b97ddc463181f8749ea40f3a4b3e0ad1b288b1808f5f46c219b93ae0c49056c66c47

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 c4a2268064694b49bd6488c02cf529c6
SHA1 862e09bc1b0014a2b6dea6b6ab5bdafe28291307
SHA256 7c6ccf9ad96d0996df00fdc954aef16c076e362525f28734d5c927afd76d32a9
SHA512 2824eb99cff9ccfa89ca84518e5dbba01049cd174062a798f2996f0a4f9ee40bc022a902bff06d471ceff56d01ee7f48bd3d58dc15fb802eefff855766f0a906

\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 56444d83014c9ab8d4c1fd75a090573e
SHA1 ab88bc95077fcc8ba01c45a5b1255d1e13b247d2
SHA256 b3b724b62af1d56eba721cc92a86f0698810f069f8b1dc3637209256bf8164ad
SHA512 1c7a956f29627366a876d2c3714f48eecd2bcf7a1f29ec93513089ed392721346603e73162867f6b69167df7f4176161a9366004fff1c5544bba12019436a271

memory/2376-983-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

memory/2376-984-0x000000001C050000-0x000000001C0D0000-memory.dmp

memory/2796-991-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 550628b16ef8c4e27c4081950cf8fd66
SHA1 ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA256 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512 e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

memory/2796-992-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

memory/896-993-0x0000000004570000-0x00000000045B0000-memory.dmp

memory/896-998-0x00000000006B0000-0x00000000006D6000-memory.dmp

memory/896-999-0x00000000005A0000-0x00000000005A8000-memory.dmp

memory/896-997-0x0000000004290000-0x0000000004322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA01.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA33.tmp

MD5 b4fcb5edddc0f75933bddac35e0db0ab
SHA1 22e1f640798959f312dee7fe7c36e8b4021d256a
SHA256 0bb006acb80281859bc82b95907a741307d2b6573ad9b436e39ab822ab640bce
SHA512 6fef2b7e85651d49242b6e4dbc57743f3ef5741b05133e3a0d8085527143ae5d073fa239cb542204c12b476dce22ee12098dde391f372e416fac843177857189

memory/896-1035-0x0000000002130000-0x0000000002138000-memory.dmp

memory/896-1036-0x00000000043B0000-0x00000000043CE000-memory.dmp

memory/896-1034-0x0000000002120000-0x000000000212A000-memory.dmp

C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/896-1115-0x0000000074270000-0x000000007495E000-memory.dmp

memory/896-1116-0x0000000004570000-0x00000000045B0000-memory.dmp

memory/2376-1119-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\Apps.txt

MD5 93df10792e8a5a5afdba1e3cdf7238ae
SHA1 f191d257e69bf44686383ae25a079062c622cd4f
SHA256 3563af086891aa59852c419854e818366dbc0e2c5cdedb3b1d0db1e90a6442e3
SHA512 377d57cac7414c3cc8239599a9890eaba46bfed1bf8028afe42f5043243c43ee4dc123bc669255a04df5ae249fce906baf0e4043469865e6cf8f3a46814e3a9d

memory/896-1162-0x0000000006600000-0x000000000667A000-memory.dmp

memory/2376-1163-0x000000001C050000-0x000000001C0D0000-memory.dmp

memory/2796-1164-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\Debug.txt

MD5 a2efde5513517a0ff1b435cadd9ad5b8
SHA1 b91abb63ad8bc8ee7d71d93d73f1ee64d775a409
SHA256 3945e21d9a7fa10ba68d16f7c032bac739437462a45538fb7d376500e04e0418
SHA512 551b7c85d7ff9fbcbf1e5fba2c098f6446f9d834f903580f52254bfb1694277d77bb310e30ef5fa5e12334b2696585686b14a949644dddeddc6cee3707377d6f

C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\ProductKey.txt

MD5 cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1 289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256 dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512 e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

memory/896-1231-0x0000000005A10000-0x0000000005AC2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ee8691f69adf3daed94e102a45e79dc
SHA1 8c82055615fe3fb35e985d8c81b3fc2ee9253342
SHA256 d2cb498f1f8e7f89d5e6448e4182bf97ba2458aa9a4bde76fa46e623ef7772ed
SHA512 20920364291fa3914ac95a7ad9573ab0ebe5b68453d5f0c8ce576ea00dffccb8e5647742515730dce5e02d8e7586c4fb3ce94611201761d055ca7c162ec546e9

memory/896-1315-0x0000000004570000-0x00000000045B0000-memory.dmp

C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\msgid.dat

MD5 a4350f1904865bc46f3d72a225592712
SHA1 5677e63c7d182ae35bada0c77c91e7515828da43
SHA256 516fd2e78c32dd8269d8816f2d0be0f4e26565eb931a0b6fe08de603ee2a7747
SHA512 68eda9663995b10267a47a94aac4ee93bcb1b2358bc819ec5a2fbedced01bffda07a18e6af9192222490339c0f6f76e9fea1dd27a7b8c67673e1aab52c010e5a

memory/896-1328-0x0000000004570000-0x00000000045B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 03:58

Reported

2024-01-30 04:01

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealerium

stealer stealerium

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Windows Update.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 2124 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
PID 4112 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 4112 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
PID 4112 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 4112 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 4112 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 3324 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 3324 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\@dr@[email protected] C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
PID 1080 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 636 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 636 wrote to memory of 1340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 636 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 636 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 636 wrote to memory of 4392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 636 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 636 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 636 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1080 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 1080 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3508 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3508 wrote to memory of 3004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3508 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3508 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3508 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\build.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

"C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

"C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

"C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 magic.poisontoolz.com udp
US 104.21.10.90:443 magic.poisontoolz.com tcp
US 8.8.8.8:53 90.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 152.199.19.74:80 evcs-ocsp.ws.symantec.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.38.43.18:443 api.gofile.io tcp
US 8.8.8.8:53 store8.gofile.io udp
US 206.168.191.31:443 store8.gofile.io tcp
US 8.8.8.8:53 18.43.38.51.in-addr.arpa udp
US 8.8.8.8:53 31.191.168.206.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 104.18.114.97:80 icanhazip.com tcp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/2124-0-0x00000000004F0000-0x000000000050A000-memory.dmp

memory/2124-1-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/2124-2-0x0000000001000000-0x0000000001010000-memory.dmp

memory/2124-3-0x0000000002980000-0x0000000002986000-memory.dmp

memory/2124-4-0x0000000004EB0000-0x0000000004EB6000-memory.dmp

memory/2124-5-0x0000000007E80000-0x00000000083EA000-memory.dmp

memory/2124-6-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-7-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-9-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-11-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-13-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-15-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-17-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-19-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-21-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-23-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-25-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-27-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-29-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-31-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-33-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-35-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-37-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-39-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-41-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-43-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-45-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-47-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-49-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-51-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-53-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-55-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-57-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-59-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-61-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-63-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-65-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-67-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-69-0x0000000007E80000-0x00000000083E4000-memory.dmp

memory/2124-938-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/2124-940-0x0000000006B80000-0x0000000006BCC000-memory.dmp

memory/2124-939-0x0000000008880000-0x0000000008D82000-memory.dmp

memory/2124-941-0x0000000009330000-0x00000000098D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac15ae1e49f4272e8d38b5fd5573ce35.exe.log

MD5 c3941d9fa38f1717d5cecd7a2ca71667
SHA1 33b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256 f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA512 98f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45

memory/2124-945-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4112-946-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/4112-947-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/4112-948-0x0000000005600000-0x0000000005692000-memory.dmp

memory/4112-949-0x00000000055E0000-0x00000000055F0000-memory.dmp

memory/4112-950-0x00000000057B0000-0x00000000057BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 835746629f9f6238a66f6507d224c22c
SHA1 ee363c7eea9474ddee4d5e8324172a058f4915ce
SHA256 073ba4f196478d20e734dc7faf7ff05ff3084dca07cde208bc8cdaee37be8b79
SHA512 49ce4d4eb71e7fb14c2ceec797cf31b6d1e49d664b47e8908e6f5a96c4d856459db2a958d7342b7f9546552400e8a3281af9b5fc1d8f6c8825c1a9f456fbccd8

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 50aa33d254e099b513f28351c145146c
SHA1 c29cf960262284f05bbdfcd51250176b0add3a69
SHA256 99b568e6c3a7a3e3d4b3e5a4c25cbb30017c3098fb1b74a73f797411cb5bd926
SHA512 ae211e456b9ebe1677b9f68f3274319e972ea8387713024732adaa483feb00ac0ef2abd6ac8087da2e9862f1c48933d19dee9dbfea977205ebef0282b8cdeeae

C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

MD5 35547de351aa8742b7ed30cc384b56a6
SHA1 3e2279ec8ecb44d22ea6a382a2919710c38aefa7
SHA256 16526b52c0cbe5d1d332730de3180069270444c2a7944ba1a54d8652434cb7f8
SHA512 d383d134ce0ad323d45f03d8454cf48c4d1d641152cf6922f30b6f63c106e709e495d19953b618706d3dc38296bad1c5d51fd5c1dd6ccfc454304d8c9bde669a

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 62df32b363188a54c8ebe9c0309cdbdd
SHA1 e0ca65cea1d87b2e833ada6c66ea80419cd073e4
SHA256 41a261d6fc3ed8d39cded15cfceb4e6cdcf418cf41fda6607676b92f25fecd8d
SHA512 22a5189380017270f3e824b7bdadf6c3779b8b2bf73471634b5f0f91dbbad3c05305db0fefedb79802625ac79f088a874fef46f396cc2093e58b9b878e5371a7

memory/3324-977-0x000002C0B5250000-0x000002C0B53C8000-memory.dmp

memory/3324-981-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp

memory/1080-980-0x0000000000640000-0x00000000007D2000-memory.dmp

memory/1080-983-0x0000000005040000-0x00000000050A6000-memory.dmp

memory/1080-982-0x00000000747D0000-0x0000000074F80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 a456bcb56e906e99266926e2ef766dd8
SHA1 a3a02328b2d17820802f421710b7f2ab90ee92d1
SHA256 5645ca43a80c0573c68cc617cfea74f515c59aadcaf52ca9aee07000258583f0
SHA512 1642c3199fa43e7238898f78c5b3482d727dc11502c380a20f961f2eaecec3a7eefaa6fc9af82c988be060a4b8f460a2e28b81da0a7a59028fb2ebf8fa987123

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 0a0264a55fe9d32837d1e0bab813c7b6
SHA1 6ab6aad1da38a0257cb75ea6126fe4963431a51d
SHA256 d6ba5a179fc788ffb5fb39e1baa195baf79d4dfa2216d62b21638c79dbd186ad
SHA512 e963ad3d0382f582c9b178062f4712e5f01809cbfd4698c3895e7c72b422b3ace247094d53a21aba1a7ee205da23b0519179f44e6a40017c3cee221f3dd3b487

memory/4112-984-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/3324-985-0x000002C0CFBC0000-0x000002C0CFBD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

MD5 550628b16ef8c4e27c4081950cf8fd66
SHA1 ab11427c02cb53b70816b06d5a950b5f52c935eb
SHA256 09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa
SHA512 e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

memory/4172-998-0x00000132EFFC0000-0x00000132EFFDE000-memory.dmp

memory/4172-999-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp

memory/1080-1000-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/4172-1001-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp

memory/3324-1002-0x000002C0D1C50000-0x000002C0D1CA0000-memory.dmp

memory/3324-1046-0x00007FFC9E5D0000-0x00007FFC9F091000-memory.dmp

memory/1080-1049-0x0000000005970000-0x0000000005978000-memory.dmp

memory/1080-1048-0x0000000005940000-0x0000000005966000-memory.dmp

memory/1080-1047-0x00000000058B0000-0x0000000005942000-memory.dmp

memory/1080-1051-0x00000000067A0000-0x00000000067A8000-memory.dmp

memory/1080-1050-0x0000000006790000-0x000000000679A000-memory.dmp

memory/1080-1052-0x00000000067C0000-0x00000000067DE000-memory.dmp

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Process.txt

MD5 5aef8be9f6de9a0dec3bf77029fe7eb1
SHA1 d56cee7e3115ee5560deac679def32409969ec27
SHA256 5d8d6369f0361650f874a9f6bd56bcf831c0643490f2e31a2028989ebb876e1e
SHA512 fcb6f8277b9421dae5891f07cb5365d52677d2bc2056110ae1b315f92516c5e903acedffb6bfcbe4b7adcbf18b55349affe7133a180254acead4ec2d41714eba

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Apps.txt

MD5 763a12574ed1e1d9b09c6c442d989861
SHA1 e9eb814c5c2f7624cafffcea0f58257cec5ac055
SHA256 def4af4d5c0731ec94e1d91037d25a801c2ed5c3b4f5ee45fdc132ca4aca7fa2
SHA512 ac70d263be7dfa6cbb1a2c1cbc1f081c510ec8df207fb6564860038bb801a6bb2e6f93870ae41fe79b75e2367c21d20d6e8ddea01a9b498704d0892ea102e621

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Apps.txt

MD5 0af56b2246b9927a3910062121d1b3d8
SHA1 e4dd70a199a838f178fe434583a6de5ef0aaad38
SHA256 1e7de68a00062bb4b2d3626f48d7d40d87b11077e7ac45dd5b41a01cbc520129
SHA512 eaa77dec4ce04b63aa76fec44b932ab5d646542e2988566af121256201a2be1423144494fcc42eec36353573c75371f99d5d16243c56cf3db8191a81dfabf3c6

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Apps.txt

MD5 109200e0ebbbb8555161615ac6f7b282
SHA1 4a128739efbf0eaed157f68eda5d505690dc643b
SHA256 464943501c3413d695b38a23e9c9469dcbfd5f6c6b707e5f24ff4cbd804e7e0b
SHA512 dd70f3a0be9746169a0c8b2b6a9769bdadd9cb2d4f6fc63daf4fddc289bd872874dc3f969d1b69cb1d33b22c74afbea622ec59041ef8cc767f329b990eefacae

memory/1080-1234-0x00000000747D0000-0x0000000074F80000-memory.dmp

memory/1080-1237-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1080-1240-0x00000000068B0000-0x000000000692A000-memory.dmp

memory/1080-1244-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/1080-1313-0x0000000006BA0000-0x0000000006C52000-memory.dmp

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\System\Debug.txt

MD5 601a1e30864778b9226a55dc3bc58d12
SHA1 2b83fd559adfa7a30dc50419d0b5abea7d3fddb3
SHA256 be164dd16b0e17fd0a4bbdc2e05c759ee332893542ccf6e2688fab52263bc131
SHA512 49604504ae3b70ad0c6efc6d20bc67ea3483ee4148ba695ee7c91a0f0c2e180a0965e3d8d36eb01c2811ac356a699ad284ad96fa1008ae97a9993f712b130830

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\Admin@EYHRDPTG_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

memory/1080-1315-0x0000000006AB0000-0x0000000006AD2000-memory.dmp

memory/1080-1316-0x0000000007FD0000-0x0000000008324000-memory.dmp

C:\Users\Admin\AppData\Local\43eb28f2e8b3bfdaa1e708693f286457\msgid.dat

MD5 14234619d78d1d13122dc25a30dc94ab
SHA1 553bb39f46c45a06afdaf610dda0805c4cf26f3f
SHA256 7ca83b1254b854d41741e7c923fa389dc7dda149f070603b653b9fb5e7787aa1
SHA512 f0d35d71c4b74fa4787f742fb072135030d9aa24e40e38bbd73108c1a54c8b7f06e607af404633e34522b466d11ef04889cfca094592ade3be26a6fee65925e4

memory/1080-1328-0x00000000050F0000-0x0000000005100000-memory.dmp