Malware Analysis Report

2024-10-10 12:09

Sample ID 240410-p62rqsgd98
Target 9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a
SHA256 9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a
Tags
saintbot zgrat dropper rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a

Threat Level: Known bad

The file 9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a was found to be: Known bad.

Malicious Activity Summary

saintbot zgrat dropper rat

SaintBot

ZGRat

Detect ZGRat V2

SaintBot payload

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Maps connected drives based on registry

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs ping.exe

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 12:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 12:57

Reported

2024-04-10 12:59

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe"

Signatures

Detect ZGRat V2

Description Indicator Process Target
N/A N/A N/A N/A

SaintBot

dropper saintbot

SaintBot payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\start /b "" cmd /c del "%~f0"&exit /b C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2072 set thread context of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2072 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2648 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2648 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2648 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2648 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2648 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2072 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 240 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe
PID 240 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe
PID 240 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe
PID 240 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe
PID 240 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 1864 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1864 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 1484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe

"C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout 20

C:\Windows\SysWOW64\timeout.exe

timeout 20

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\del.bat

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\cmd.exe

cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"

Network

N/A

Files

memory/2072-0-0x0000000001160000-0x00000000011D8000-memory.dmp

memory/2072-1-0x00000000747C0000-0x0000000074EAE000-memory.dmp

memory/2860-4-0x0000000071A70000-0x000000007201B000-memory.dmp

memory/2860-5-0x0000000071A70000-0x000000007201B000-memory.dmp

memory/2860-6-0x0000000002940000-0x0000000002980000-memory.dmp

memory/2860-7-0x0000000002940000-0x0000000002980000-memory.dmp

memory/2860-8-0x0000000002940000-0x0000000002980000-memory.dmp

memory/2072-9-0x00000000747C0000-0x0000000074EAE000-memory.dmp

memory/2860-10-0x0000000071A70000-0x000000007201B000-memory.dmp

memory/2860-11-0x0000000002940000-0x0000000002980000-memory.dmp

memory/2860-12-0x0000000071A70000-0x000000007201B000-memory.dmp

memory/2072-13-0x0000000004E50000-0x0000000004EC4000-memory.dmp

memory/2072-14-0x0000000000940000-0x0000000000980000-memory.dmp

memory/2072-15-0x0000000004720000-0x000000000474E000-memory.dmp

memory/2072-16-0x0000000004900000-0x000000000494C000-memory.dmp

memory/2072-17-0x0000000000940000-0x0000000000980000-memory.dmp

memory/240-18-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-19-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-20-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-21-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-22-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-23-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/240-25-0x0000000000400000-0x000000000040B000-memory.dmp

memory/240-26-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2072-31-0x00000000747C0000-0x0000000074EAE000-memory.dmp

C:\Users\Admin\AppData\Roaming\del.bat

MD5 df77611384b4fe4641d8b355086ba1bc
SHA1 5a2f90e6bbb19fdb73fe7bc19b2e1e42631b8313
SHA256 00cb72eb24f8e7b58ea2542ba055a446e59184d22038a001d39762eb225b58fd
SHA512 6c17d1f672b0418f71fba7e571b29c95013b24ae94efe04dc830dc322b7cd7af0ea925a2ca633969f640b7e28ee0d8f59c34d84789a59901ee8ead95ee3a4e99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25405.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/1816-46-0x00000000008F0000-0x0000000000930000-memory.dmp

memory/1816-47-0x00000000740D0000-0x00000000747BE000-memory.dmp

memory/1816-48-0x0000000004690000-0x00000000046D0000-memory.dmp

memory/1816-49-0x00000000740D0000-0x00000000747BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 12:57

Reported

2024-04-10 12:59

Platform

win10v2004-20240226-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe"

Signatures

Detect ZGRat V2

Description Indicator Process Target
N/A N/A N/A N/A

SaintBot

dropper saintbot

SaintBot payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\start /b "" cmd /c del "%~f0"&exit /b C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1196 set thread context of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1972 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2012 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2012 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2012 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1196 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1196 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1724 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe
PID 1724 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe
PID 1724 wrote to memory of 1868 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe
PID 1724 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2720 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe

"C:\Users\Admin\AppData\Local\Temp\9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout 20

C:\Windows\SysWOW64\timeout.exe

timeout 20

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

C:\Windows\SysWOW64\cmd.exe

cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/1196-0-0x0000000000D80000-0x0000000000DF8000-memory.dmp

memory/1196-1-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1972-2-0x0000000002650000-0x0000000002686000-memory.dmp

memory/1972-3-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1972-4-0x0000000004820000-0x0000000004830000-memory.dmp

memory/1972-5-0x0000000004820000-0x0000000004830000-memory.dmp

memory/1972-6-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/1972-7-0x0000000004D80000-0x0000000004DA2000-memory.dmp

memory/1972-8-0x0000000005580000-0x00000000055E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuno1ujj.wqh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1972-14-0x0000000005600000-0x0000000005666000-memory.dmp

memory/1972-19-0x0000000005770000-0x0000000005AC4000-memory.dmp

memory/1972-20-0x0000000005C10000-0x0000000005C2E000-memory.dmp

memory/1972-21-0x0000000005C50000-0x0000000005C9C000-memory.dmp

memory/1196-22-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1972-23-0x0000000004820000-0x0000000004830000-memory.dmp

memory/1972-26-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1196-27-0x0000000005810000-0x0000000005884000-memory.dmp

memory/1196-28-0x0000000005720000-0x0000000005730000-memory.dmp

memory/1196-29-0x00000000064B0000-0x00000000064DE000-memory.dmp

memory/1196-30-0x0000000006520000-0x000000000656C000-memory.dmp

memory/1196-31-0x0000000005720000-0x0000000005730000-memory.dmp

memory/1196-32-0x0000000006190000-0x0000000006222000-memory.dmp

memory/1196-33-0x0000000006ED0000-0x0000000007474000-memory.dmp

memory/1724-34-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1196-40-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1724-39-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\20471.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

C:\Users\Admin\AppData\Roaming\del.bat

MD5 df77611384b4fe4641d8b355086ba1bc
SHA1 5a2f90e6bbb19fdb73fe7bc19b2e1e42631b8313
SHA256 00cb72eb24f8e7b58ea2542ba055a446e59184d22038a001d39762eb225b58fd
SHA512 6c17d1f672b0418f71fba7e571b29c95013b24ae94efe04dc830dc322b7cd7af0ea925a2ca633969f640b7e28ee0d8f59c34d84789a59901ee8ead95ee3a4e99

memory/1868-55-0x0000000000B50000-0x0000000000B90000-memory.dmp

memory/1868-56-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/1868-58-0x0000000005320000-0x000000000533A000-memory.dmp

memory/1868-57-0x0000000005410000-0x0000000005420000-memory.dmp

memory/1868-59-0x0000000005580000-0x00000000056DA000-memory.dmp

memory/1868-61-0x0000000074FC0000-0x0000000075770000-memory.dmp