Malware Analysis Report

2025-01-02 12:16

Sample ID 240417-rvse2aca83
Target 91eae3aeb592e530edf843431d616dc6e3196b4eecd341d7422f84a466bcb8c2
SHA256 91eae3aeb592e530edf843431d616dc6e3196b4eecd341d7422f84a466bcb8c2
Tags
asyncrat zgrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91eae3aeb592e530edf843431d616dc6e3196b4eecd341d7422f84a466bcb8c2

Threat Level: Known bad

The file 91eae3aeb592e530edf843431d616dc6e3196b4eecd341d7422f84a466bcb8c2 was found to be: Known bad.

Malicious Activity Summary

asyncrat zgrat default rat

ZGRat

AsyncRat

Detect ZGRat V1

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-17 14:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-17 14:31

Reported

2024-04-17 14:34

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177723727-746291240-1644359950-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\note.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\note.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\note.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\note.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 4932 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 1260 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 1260 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 4764 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4764 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4452 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4452 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4452 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4452 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 4452 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 4452 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2804 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2804 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2804 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2804 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe

"C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GBACkwScGwPt.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GBACkwScGwPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85E9.tmp"

C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe

"C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "note" /tr '"C:\Users\Admin\AppData\Roaming\note.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9645.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "note" /tr '"C:\Users\Admin\AppData\Roaming\note.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\note.exe

"C:\Users\Admin\AppData\Roaming\note.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GBACkwScGwPt.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GBACkwScGwPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE36B.tmp"

C:\Users\Admin\AppData\Roaming\note.exe

"C:\Users\Admin\AppData\Roaming\note.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 248.81.21.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 45.145.55.81:6606 tcp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 45.145.55.81:8808 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 45.145.55.81:8808 tcp
US 45.145.55.81:8808 tcp
US 45.145.55.81:7707 tcp

Files

memory/4932-1-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4932-0-0x00000000007B0000-0x0000000000860000-memory.dmp

memory/4932-2-0x0000000005890000-0x0000000005E34000-memory.dmp

memory/4932-3-0x00000000052E0000-0x0000000005372000-memory.dmp

memory/4932-4-0x0000000005510000-0x0000000005520000-memory.dmp

memory/4932-5-0x0000000005250000-0x000000000525A000-memory.dmp

memory/4932-6-0x00000000054D0000-0x00000000054E8000-memory.dmp

memory/4932-7-0x0000000005500000-0x0000000005508000-memory.dmp

memory/4932-8-0x00000000055D0000-0x00000000055DA000-memory.dmp

memory/4932-9-0x0000000002AF0000-0x0000000002B3C000-memory.dmp

memory/4932-10-0x0000000006740000-0x00000000067DC000-memory.dmp

memory/4708-15-0x0000000002920000-0x0000000002956000-memory.dmp

memory/4708-17-0x0000000075240000-0x00000000759F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp85E9.tmp

MD5 3fe15944f5f31096ce2d2e425d378d30
SHA1 539301dfac8d58e3bf7a767b3a93233053493876
SHA256 73ed758357d1955a94943cbac22d8f8b7f7844fac5efc84d496b230d9e63ad32
SHA512 a88e34505bb89f16c7e6be5b7c41d6112c3c1faec59b4172be18abddd456edef40ef1c9b7d8a56df37f00f0c2ade866b5f2573426f8667a3a45327957a5cebcd

memory/4708-18-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4708-19-0x00000000054D0000-0x0000000005AF8000-memory.dmp

memory/4708-22-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4932-21-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/1260-20-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1260-26-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4932-25-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/4708-27-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/4708-28-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/4708-29-0x0000000005BE0000-0x0000000005C46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofa3qd0y.yp4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4708-39-0x0000000005D50000-0x00000000060A4000-memory.dmp

memory/4708-40-0x0000000006250000-0x000000000626E000-memory.dmp

memory/4708-41-0x00000000062A0000-0x00000000062EC000-memory.dmp

memory/4708-42-0x000000007FB90000-0x000000007FBA0000-memory.dmp

memory/4708-43-0x0000000006810000-0x0000000006842000-memory.dmp

memory/4708-44-0x0000000071690000-0x00000000716DC000-memory.dmp

memory/4708-56-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4708-55-0x0000000006850000-0x000000000686E000-memory.dmp

memory/4708-54-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/4708-57-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/4708-58-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/4708-59-0x0000000007580000-0x000000000759A000-memory.dmp

memory/4708-60-0x00000000075F0000-0x00000000075FA000-memory.dmp

memory/4708-61-0x0000000007800000-0x0000000007896000-memory.dmp

memory/4708-62-0x0000000007780000-0x0000000007791000-memory.dmp

memory/4708-63-0x00000000077B0000-0x00000000077BE000-memory.dmp

memory/4708-64-0x00000000077C0000-0x00000000077D4000-memory.dmp

memory/4708-65-0x00000000078C0000-0x00000000078DA000-memory.dmp

memory/1260-66-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4708-67-0x00000000078A0000-0x00000000078A8000-memory.dmp

memory/4708-70-0x0000000075240000-0x00000000759F0000-memory.dmp

memory/1260-74-0x0000000075240000-0x00000000759F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9645.tmp.bat

MD5 c8af1e2e3c5a398172e940bcc211f990
SHA1 d954c130db46e74f96229e3b0fddae586ec7da27
SHA256 8efb2b3fc68371218f0d19aab3d536c64216d025b1ca3242ab699e7aee6a476a
SHA512 7b4ee66a3192d0bf2ea37e2ee5b85388b2012f3e34530c3ff97fd5978ad2f19adc61c566a26b545c1d1b3b4dd46f0999cfc1fa8ac235c87f74d73a799f5554c3

C:\Users\Admin\AppData\Roaming\note.exe

MD5 34ba2f8eca9f38d2cd3a8fa1bf57ab81
SHA1 24948a5f1f23a471d7bdc1d4f2c0cc9b9914d17b
SHA256 0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe
SHA512 0897ccd7920c421259bcd53511160e68dd0020c5c88a80dded4b9a7b4427b76e7eacca03be7b0be5a2eea9f3bca1374ff104950ddd09dec67e412c4524f957c6

memory/2804-79-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/2804-80-0x0000000005480000-0x0000000005490000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4272-83-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4272-84-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/4272-86-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/4272-96-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/2804-101-0x0000000075230000-0x00000000759E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8f25483695efe52465b388639ac1ebf
SHA1 31df843920111d6cd84d1c1bb2ab0e760e56b32e
SHA256 d1d949ac5843ee332771d4699e1c560a166b290e3d708b39cc21b5acd37f9456
SHA512 a03b8c68ff53d18eda7cb440f64a6853edad77c5262cddae281345bb9305fac9669b524e8015a1d7acf124c4a2786c338c2c59d11dfd78bdc001d3b252d991c9

memory/4464-103-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4272-104-0x0000000006E40000-0x0000000006E8C000-memory.dmp

memory/4272-106-0x0000000075B20000-0x0000000075B6C000-memory.dmp

memory/4272-116-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/4272-105-0x000000007F6A0000-0x000000007F6B0000-memory.dmp

memory/4272-118-0x0000000007AC0000-0x0000000007B63000-memory.dmp

memory/4272-117-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

memory/4272-119-0x0000000007DE0000-0x0000000007DF1000-memory.dmp

memory/4272-120-0x0000000007E30000-0x0000000007E44000-memory.dmp

memory/4272-122-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4464-123-0x0000000005220000-0x0000000005230000-memory.dmp

memory/4464-124-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/4464-125-0x0000000005220000-0x0000000005230000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-17 14:31

Reported

2024-04-17 14:34

Platform

win7-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\note.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\note.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\note.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2196 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe
PID 2660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2424 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2256 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2528 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Windows\SysWOW64\schtasks.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe
PID 2392 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Roaming\note.exe C:\Users\Admin\AppData\Roaming\note.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe

"C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GBACkwScGwPt.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GBACkwScGwPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5947.tmp"

C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe

"C:\Users\Admin\AppData\Local\Temp\0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "note" /tr '"C:\Users\Admin\AppData\Roaming\note.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "note" /tr '"C:\Users\Admin\AppData\Roaming\note.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\note.exe

"C:\Users\Admin\AppData\Roaming\note.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GBACkwScGwPt.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GBACkwScGwPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB480.tmp"

C:\Users\Admin\AppData\Roaming\note.exe

"C:\Users\Admin\AppData\Roaming\note.exe"

Network

Country Destination Domain Proto
US 45.145.55.81:7707 tcp
US 45.145.55.81:7707 tcp
US 45.145.55.81:7707 tcp
US 45.145.55.81:8808 tcp
US 45.145.55.81:6606 tcp

Files

memory/2196-0-0x0000000000E80000-0x0000000000F30000-memory.dmp

memory/2196-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp

memory/2196-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/2196-3-0x0000000000340000-0x0000000000358000-memory.dmp

memory/2196-4-0x0000000000320000-0x0000000000328000-memory.dmp

memory/2196-5-0x0000000000360000-0x000000000036A000-memory.dmp

memory/2196-6-0x0000000000440000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5947.tmp

MD5 7d01e3ac21ae4b6711617c97db291940
SHA1 647ccfb2314f3fc2b3d7bc454111763f4e391570
SHA256 749f605ac4fa88f2dc315790255e035909e59d9cdd17184235647568c26f75ab
SHA512 8b5f9273aef2dcb6348ad3e310705760fe427098137d63bb10b392ebae20f7b32350aa05772fa3807d1fbbe29521bd907fae6035915714cafdb465f5a9145fc3

memory/2660-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2660-15-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2660-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2660-17-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2660-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2660-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2660-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2196-23-0x0000000074BD0000-0x00000000752BE000-memory.dmp

memory/2660-22-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2732-26-0x000000006EFA0000-0x000000006F54B000-memory.dmp

memory/2732-27-0x0000000002880000-0x00000000028C0000-memory.dmp

memory/2732-28-0x000000006EFA0000-0x000000006F54B000-memory.dmp

memory/2732-30-0x0000000002880000-0x00000000028C0000-memory.dmp

memory/2660-29-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/2732-31-0x000000006EFA0000-0x000000006F54B000-memory.dmp

memory/2660-32-0x0000000004BD0000-0x0000000004C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp.bat

MD5 cd8ea21992ff46d2c0caf48c79d84d6a
SHA1 7311bdbf70bfc73c188e716bf56264a5bd92729b
SHA256 00bf167dad5aa0c38a94dd021a615bebb63e14486e9d5cc022f2f21b19b32923
SHA512 92ab924fcde1d5df8f5de9858ac52b391dd62d5bce09252852661fa3be1cdaa860d3d01f42041bac3f897fd6ac263dcdb5642b906492fccc4a919ddeab5357f7

memory/2660-42-0x00000000738D0000-0x0000000073FBE000-memory.dmp

\Users\Admin\AppData\Roaming\note.exe

MD5 34ba2f8eca9f38d2cd3a8fa1bf57ab81
SHA1 24948a5f1f23a471d7bdc1d4f2c0cc9b9914d17b
SHA256 0b73e8607350c592c70b7e5845a1d7d4a7b60bd05ea1a86a7c5dd21fc48a43fe
SHA512 0897ccd7920c421259bcd53511160e68dd0020c5c88a80dded4b9a7b4427b76e7eacca03be7b0be5a2eea9f3bca1374ff104950ddd09dec67e412c4524f957c6

memory/2392-46-0x00000000009C0000-0x0000000000A70000-memory.dmp

memory/2392-48-0x0000000004BC0000-0x0000000004C00000-memory.dmp

memory/2392-47-0x0000000074C10000-0x00000000752FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e166ba13a8eaa627fa21564d9bc503ec
SHA1 ce224a61aadef8a80d973d4cc9403f6f9f55e7a7
SHA256 c7821ce561f4fb0dfa18c45011627e5e157d30fd0dbbac316232ed2f43ce0965
SHA512 acb289c7a406971e6d107d594d7a52b1de7448113e45309d51f776d9a69fb6cfacdbf5aebbe70d5e8ac11adedb07e23f40437c1ba79d63d4079f6ff3349d5634

memory/2252-56-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2252-57-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/2392-60-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2252-61-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/2252-64-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/2252-65-0x00000000028D0000-0x0000000002910000-memory.dmp

memory/1696-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2392-74-0x0000000074C10000-0x00000000752FE000-memory.dmp

memory/2252-77-0x000000006F800000-0x000000006FDAB000-memory.dmp

memory/1696-78-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1696-75-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1696-79-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/1696-80-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/1696-81-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/1696-82-0x0000000004C30000-0x0000000004C70000-memory.dmp