Analysis Overview
SHA256
1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990
Threat Level: Known bad
The file 1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990 was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Loads dropped DLL
Executes dropped EXE
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Creates scheduled task(s)
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-01 22:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-01 22:37
Reported
2024-05-01 22:42
Platform
win7-20231129-en
Max time kernel
283s
Max time network
293s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2572 created 1376 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | C:\Windows\Explorer.EXE |
| PID 2572 created 1376 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | C:\Windows\Explorer.EXE |
| PID 2572 created 1376 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | C:\Windows\Explorer.EXE |
ZGRat
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe
"C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Fancy Fancy.cmd && Fancy.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 1121
C:\Windows\SysWOW64\findstr.exe
findstr /V "LightsListingConnectivityDown" Replica
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Effect + Competition + Ict + Believe + Harassment + Bios + Burst + Toolbox 1121\R
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif
1121\Pension.pif 1121\R
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm' -Value '"C:\Users\Admin\AppData\Roaming\RegAsm.exe"' -PropertyType 'String'
C:\Windows\system32\taskeng.exe
taskeng.exe {A0CCD4C4-2F1B-4CE9-9D4A-45BC32E45985} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js"
C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif
"C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif" "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\T"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | OCRshnWqAOfKySsWABvf.OCRshnWqAOfKySsWABvf | udp |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fancy
| MD5 | a7e06544f9ad7d58c5705cf1874e03cb |
| SHA1 | a8fff3c4f688fc4f496058d2575115241c958d78 |
| SHA256 | bff5faf70466a49e899282fc84ec428790348d1b141dc3a98e46baa492ce58f2 |
| SHA512 | b0a165e5c60f8f7908080e055fc3f4a43d7773e84a9f6dfd2761f51a4663ffaafff08d3ebddbbc0c7b9a5bcb1d49026fe3713ae48fa223c1c96cb5511170f50d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Replica
| MD5 | cf00f4e9240c539bbf64a1c20def7263 |
| SHA1 | 9aa53cc59aaa7580a85c36a50659759683074568 |
| SHA256 | b90e8420622d3497b0e95496dff0c5f9ca72242aa8ae846d2f71ae85c97bf3c3 |
| SHA512 | 2049857847148a83d295c6cd9485e3dbcb6cc165ac909fb1011e5b9fba78e2afbc1764b0bc06d0eba616080262248e6788cac115d7338e31179a3b4e1097b9a4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rewards
| MD5 | 00335905a2a89de13de6c2421575eee3 |
| SHA1 | e472af8bbc0ae7729c3a298d87721ae3f079de0e |
| SHA256 | a5a998f37aaad218f989da68e0912fa7661340884b1a421f96e74204e915e87d |
| SHA512 | 85e9e5d774284298bab638330831ccd504f617064307548dc917d290482e9c09612493bb6a696b0f25cd45d885591804d33f978c617fa88dfd8b5530b77c088b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Heater
| MD5 | 6007a8ca0455cf69278da9b4b6cb9a12 |
| SHA1 | 27084504d3c62f1a20ec1b6602327e7def4546fb |
| SHA256 | 7d282ee47798d0a129c2961079d94cbebc9940bcbb4d5a39fe464fefc10accf7 |
| SHA512 | f5c9c5f9f556807109ab30dd8373b627034fab72e4f397bb86fa6128fb00223bd4ce4554e97d72fc448643c6798fa45c9291c5c98ca233448cac2aea4203531f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Julie
| MD5 | 88f4d8dbbf1686993d6bbfe5cafc7bec |
| SHA1 | a91f8cfdba4fcc5b13404a20d83e6f2971b9dda7 |
| SHA256 | 58967b46f82093849e3236b019212c4c7e24b1585e46f5549dcad9ff03eb1a84 |
| SHA512 | 0895da59e9049ec87db8f41e806b36bf2cb248cf522f0ae3114774ff020b68a1093db4c0dfcb3f7b8c19752ec4d80a4f48dab5ab092a7c90dfadcc5c36a6f45f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wiring
| MD5 | c186c5f5e43b21e22648d604b76b8742 |
| SHA1 | fcc8ea3bea77b4d3d8d61703429d4950f57967ad |
| SHA256 | fd5195e8e4d850db2e81763debed0c70e0dede4ee7667d1540197016dcb8ab6c |
| SHA512 | e692ad7588b5976abb6f96061dd134ea9a66b74afefe506da35cb9e7d33be77887c912824dc99ca850a86ed6bf27c00cfb19bbd6ab900091da30742f4ab5507b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Historical
| MD5 | 8846c829752abfd71bbe95f4ee589929 |
| SHA1 | 18fa430e7d3a520c20bc5ba1361eec701031924c |
| SHA256 | 92421a7f7a3b71741f311e57668ec22c1939a4195a066d3cbc6217d7a1b1d5bd |
| SHA512 | 3b41b1d3a43df6d873ba826c51a2c421166eeb84749bbd123340caa280a23468f5468e778e02ab73a7565dcef13955748ac5b5a13791e72f5ef6a641d13544f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cumshots
| MD5 | 6c623f377545d7205643ccd91755c153 |
| SHA1 | be36fe56d62c76b98507e74350a6914d327de2fd |
| SHA256 | 25973305f172e577eecf44115e1d474144a206620458592eee2ad262e4337e9b |
| SHA512 | 48ed4b6bacdf8ee9975a47d80f51e93d6f148f4a3864fbc5b9b1b0ee6ff157f79d790d961b93f7efdab9384df23afd065b2f0b8ce772f78d6cfab38ed99a6e23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Threatening
| MD5 | 6804de931c9eb4b3d459ab030cda55ce |
| SHA1 | 182fc850106e372587039ff82aaac9386b0cf7d1 |
| SHA256 | 9a4b7f50afe7000d7babae1ec667117a56ee84859642ed80d5a0ab2222d6fd25 |
| SHA512 | af91378384e50990aa38304719a524af0786c7a9df0ae802854ebc094e4482d7d3045ab21a1d1d19bf01a585e5922e183c765dd0f37b0726f0cd5f1d56ab73c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Effect
| MD5 | 662fde8634083a5a8a69e1e234858975 |
| SHA1 | b3c7b309ac3acd5f1eb2d5f03b58fc291be9a09c |
| SHA256 | 94fea62ec238e1035e6e728c2d3508166b5fa0bab4a43758de5bcc7db73b0bfb |
| SHA512 | 6304ed20d7b535e9dbccd5421059b305c53fb7a2d7975d57f181355927baead267f14bb3467959ee4ddf58de19bc992ef9c4a6d174705114d3a5ff65ad290a8b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Competition
| MD5 | 091aae3bd1f07f9e174f53c654c6ed3d |
| SHA1 | 68c2da6fca30e5c65f1b286ccf132a6ae7aa71be |
| SHA256 | df762e720c90c439eb5a1ca9af2c6e71bdcc2176bc5678652aea14a01c1d8871 |
| SHA512 | 63b5280c48ede31e6b1deefa04c88430bc7a322416bcea309a4a03255548a90126a9a27fe1204d18c14844bc758b622ed2f3b932c3b67b982f1d9ff2adb58382 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ict
| MD5 | dbc4328fcde80bcda7e50313566525cd |
| SHA1 | fe7b8321ae72c5c5148197cf48e8bc986b4f6f3c |
| SHA256 | efe093a2edd597859c6aee6da0b862ff9a75d54cd4b3d0492f7cdf63128a5e85 |
| SHA512 | c6f0d8cecfbc7ef137899a8b0512e6efb9bc5f92844845e5744624aa78c2de1f57622c5f43cdd09f1a8cb75ef51fdb70023226c816fccf32777fd5be2e3fe875 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Believe
| MD5 | 84b8963d6e0be7253c0f7439184ede19 |
| SHA1 | 75c4c2de0abbab955ffdbd3b80750fd6c59db410 |
| SHA256 | f1626970f2bb7e4521b5ee25f917d7b32be0fc24c531149f93a9207586a2aa2b |
| SHA512 | 429cca6b0ec71446101717c5e164fc028e3f3b7f57e01d23ccae5d8865d0db11db9aeac202b02125d5af0ef0be99bec1574beb5cd3d52b2dd8618e0d26143c4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Harassment
| MD5 | b5bb3d9ed2e6d7354c5725b9667fa6e8 |
| SHA1 | 3742b76d1cad7ad7d6c5c52b444951f7d6830d68 |
| SHA256 | f94a7a0952b8929d4b6d4c3af214ad4e50df119a126950263585721ad2a4a9e9 |
| SHA512 | 426bb2323ab1faeaa6181242b9df0191c153a95b5c1376fbcb1e0b32b68b6cd7ef0d3ae1de17132eb444704d0fcad126796a99164ce132f18777f54563667a0f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bios
| MD5 | 3826c7267e6a33cf0a5caf693ff35467 |
| SHA1 | eccec823ab4020e55d96c038e2d4d14042b36b37 |
| SHA256 | aaa85412f35cbe97f7c02cd2cf4d8c019ac97ac89c3642915dfa9099027b7472 |
| SHA512 | c16705362793d591b3f79fd5ea657cd547797d43e1b0a4f703a7d3108e84f3b91b5a613b589f4ebeb6e5b4c55b33f66c003959226b33b4f7f2f2a842e4449f6e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Burst
| MD5 | bab73e006009d7a5625e672db9ccd5db |
| SHA1 | eeb7561ab415280608b9e9484d31eb23768150a5 |
| SHA256 | 3180abd2fb794069731125550ea3e0a6eb71084494a9aef3388699d1df2948c2 |
| SHA512 | 56e84a6ec40deef4c377191df32090d3cc783630814aecf3585b13c7a6320d5330320246f5bb8424619d5dba16763365d4eab9bc9c39b41512571408d0feef21 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Toolbox
| MD5 | f5f71d9e2109265bd186ec56ad0dc430 |
| SHA1 | 3dba226bab4a0d6eb5347d575c4c8d40179ed048 |
| SHA256 | f984a61ef127393597b49d46df0ec3482880570c871ccdcacfe329e17c04e6fc |
| SHA512 | 1abf749a7b236617f3b26bf58b1fd8d7d4347e73dd3b4494c6b3c338af1dee943559af3f5dac3c748dec3c166d78d6056de188dd4c77434c8c7d8c8ad592f677 |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\R
| MD5 | 082fc64ab12fe5617c2d1c39e47087e8 |
| SHA1 | b2cb6d76b71c901c9b08442c53b3d703ebfeea90 |
| SHA256 | d59d26bd3c8b5180f0edafce17cecf6c4bc1ceb313454d8f89e06faa74451ccb |
| SHA512 | 4dc0e23d2302e354ed39d754a6ef71110d8f02cc5bb7d120be6785e8980c79dc1f963b8a524fcf19d77b870a624da08ab53cb2edb7f6516e96f09565f56ffa70 |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/1948-53-0x0000000000130000-0x00000000001A4000-memory.dmp
memory/1948-55-0x0000000000130000-0x00000000001A4000-memory.dmp
memory/1948-56-0x0000000000130000-0x00000000001A4000-memory.dmp
memory/1948-59-0x0000000004E40000-0x0000000004F1C000-memory.dmp
memory/1948-67-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-60-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-61-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-63-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-65-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-87-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-97-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-99-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-103-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-105-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-109-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-115-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-117-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-119-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-113-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-111-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-107-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-101-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-95-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-93-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-91-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-89-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-85-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-83-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-82-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-79-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-77-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-75-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-73-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-71-0x0000000004E40000-0x0000000004F17000-memory.dmp
memory/1948-69-0x0000000004E40000-0x0000000004F17000-memory.dmp
C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js
| MD5 | 08c46f30149d351c591e9b3b70c9a64e |
| SHA1 | 9b63b98f4329107da1de8a049fa3cbec850b863f |
| SHA256 | 044c9d43801a15f6e8f8a36a77bc71a60f56abd4204e17e15f19be9c2fc2c006 |
| SHA512 | 5ae51bacfe960d71845901b7a293f8f6cea23ee7cd7c854f13a85b5ea17f1d4633a27111dc29d94e13d29e48aa5c6813e53f8405db80dbcf0344d6bdd1050238 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-01 22:37
Reported
2024-05-01 22:42
Platform
win10-20240404-en
Max time kernel
292s
Max time network
301s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4508 created 3304 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | C:\Windows\Explorer.EXE |
| PID 4508 created 3304 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | C:\Windows\Explorer.EXE |
| PID 4508 created 3304 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | C:\Windows\Explorer.EXE |
ZGRat
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe
"C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c move Fancy Fancy.cmd && Fancy.cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 1151
C:\Windows\SysWOW64\findstr.exe
findstr /V "LightsListingConnectivityDown" Replica
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Effect + Competition + Ict + Believe + Harassment + Bios + Burst + Toolbox 1151\R
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif
1151\Pension.pif 1151\R
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm' -Value '"C:\Users\Admin\AppData\Roaming\RegAsm.exe"' -PropertyType 'String'
\??\c:\windows\system32\wscript.EXE
c:\windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js"
C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif
"C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif" "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\T"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | OCRshnWqAOfKySsWABvf.OCRshnWqAOfKySsWABvf | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| NL | 91.92.248.41:56003 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp | |
| NL | 91.92.248.41:56002 | tcp | |
| NL | 91.92.248.41:56003 | tcp | |
| NL | 91.92.248.41:56001 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fancy
| MD5 | a7e06544f9ad7d58c5705cf1874e03cb |
| SHA1 | a8fff3c4f688fc4f496058d2575115241c958d78 |
| SHA256 | bff5faf70466a49e899282fc84ec428790348d1b141dc3a98e46baa492ce58f2 |
| SHA512 | b0a165e5c60f8f7908080e055fc3f4a43d7773e84a9f6dfd2761f51a4663ffaafff08d3ebddbbc0c7b9a5bcb1d49026fe3713ae48fa223c1c96cb5511170f50d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Replica
| MD5 | cf00f4e9240c539bbf64a1c20def7263 |
| SHA1 | 9aa53cc59aaa7580a85c36a50659759683074568 |
| SHA256 | b90e8420622d3497b0e95496dff0c5f9ca72242aa8ae846d2f71ae85c97bf3c3 |
| SHA512 | 2049857847148a83d295c6cd9485e3dbcb6cc165ac909fb1011e5b9fba78e2afbc1764b0bc06d0eba616080262248e6788cac115d7338e31179a3b4e1097b9a4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Heater
| MD5 | 6007a8ca0455cf69278da9b4b6cb9a12 |
| SHA1 | 27084504d3c62f1a20ec1b6602327e7def4546fb |
| SHA256 | 7d282ee47798d0a129c2961079d94cbebc9940bcbb4d5a39fe464fefc10accf7 |
| SHA512 | f5c9c5f9f556807109ab30dd8373b627034fab72e4f397bb86fa6128fb00223bd4ce4554e97d72fc448643c6798fa45c9291c5c98ca233448cac2aea4203531f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rewards
| MD5 | 00335905a2a89de13de6c2421575eee3 |
| SHA1 | e472af8bbc0ae7729c3a298d87721ae3f079de0e |
| SHA256 | a5a998f37aaad218f989da68e0912fa7661340884b1a421f96e74204e915e87d |
| SHA512 | 85e9e5d774284298bab638330831ccd504f617064307548dc917d290482e9c09612493bb6a696b0f25cd45d885591804d33f978c617fa88dfd8b5530b77c088b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Julie
| MD5 | 88f4d8dbbf1686993d6bbfe5cafc7bec |
| SHA1 | a91f8cfdba4fcc5b13404a20d83e6f2971b9dda7 |
| SHA256 | 58967b46f82093849e3236b019212c4c7e24b1585e46f5549dcad9ff03eb1a84 |
| SHA512 | 0895da59e9049ec87db8f41e806b36bf2cb248cf522f0ae3114774ff020b68a1093db4c0dfcb3f7b8c19752ec4d80a4f48dab5ab092a7c90dfadcc5c36a6f45f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Historical
| MD5 | 8846c829752abfd71bbe95f4ee589929 |
| SHA1 | 18fa430e7d3a520c20bc5ba1361eec701031924c |
| SHA256 | 92421a7f7a3b71741f311e57668ec22c1939a4195a066d3cbc6217d7a1b1d5bd |
| SHA512 | 3b41b1d3a43df6d873ba826c51a2c421166eeb84749bbd123340caa280a23468f5468e778e02ab73a7565dcef13955748ac5b5a13791e72f5ef6a641d13544f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wiring
| MD5 | c186c5f5e43b21e22648d604b76b8742 |
| SHA1 | fcc8ea3bea77b4d3d8d61703429d4950f57967ad |
| SHA256 | fd5195e8e4d850db2e81763debed0c70e0dede4ee7667d1540197016dcb8ab6c |
| SHA512 | e692ad7588b5976abb6f96061dd134ea9a66b74afefe506da35cb9e7d33be77887c912824dc99ca850a86ed6bf27c00cfb19bbd6ab900091da30742f4ab5507b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cumshots
| MD5 | 6c623f377545d7205643ccd91755c153 |
| SHA1 | be36fe56d62c76b98507e74350a6914d327de2fd |
| SHA256 | 25973305f172e577eecf44115e1d474144a206620458592eee2ad262e4337e9b |
| SHA512 | 48ed4b6bacdf8ee9975a47d80f51e93d6f148f4a3864fbc5b9b1b0ee6ff157f79d790d961b93f7efdab9384df23afd065b2f0b8ce772f78d6cfab38ed99a6e23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Threatening
| MD5 | 6804de931c9eb4b3d459ab030cda55ce |
| SHA1 | 182fc850106e372587039ff82aaac9386b0cf7d1 |
| SHA256 | 9a4b7f50afe7000d7babae1ec667117a56ee84859642ed80d5a0ab2222d6fd25 |
| SHA512 | af91378384e50990aa38304719a524af0786c7a9df0ae802854ebc094e4482d7d3045ab21a1d1d19bf01a585e5922e183c765dd0f37b0726f0cd5f1d56ab73c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Effect
| MD5 | 662fde8634083a5a8a69e1e234858975 |
| SHA1 | b3c7b309ac3acd5f1eb2d5f03b58fc291be9a09c |
| SHA256 | 94fea62ec238e1035e6e728c2d3508166b5fa0bab4a43758de5bcc7db73b0bfb |
| SHA512 | 6304ed20d7b535e9dbccd5421059b305c53fb7a2d7975d57f181355927baead267f14bb3467959ee4ddf58de19bc992ef9c4a6d174705114d3a5ff65ad290a8b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Competition
| MD5 | 091aae3bd1f07f9e174f53c654c6ed3d |
| SHA1 | 68c2da6fca30e5c65f1b286ccf132a6ae7aa71be |
| SHA256 | df762e720c90c439eb5a1ca9af2c6e71bdcc2176bc5678652aea14a01c1d8871 |
| SHA512 | 63b5280c48ede31e6b1deefa04c88430bc7a322416bcea309a4a03255548a90126a9a27fe1204d18c14844bc758b622ed2f3b932c3b67b982f1d9ff2adb58382 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ict
| MD5 | dbc4328fcde80bcda7e50313566525cd |
| SHA1 | fe7b8321ae72c5c5148197cf48e8bc986b4f6f3c |
| SHA256 | efe093a2edd597859c6aee6da0b862ff9a75d54cd4b3d0492f7cdf63128a5e85 |
| SHA512 | c6f0d8cecfbc7ef137899a8b0512e6efb9bc5f92844845e5744624aa78c2de1f57622c5f43cdd09f1a8cb75ef51fdb70023226c816fccf32777fd5be2e3fe875 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Believe
| MD5 | 84b8963d6e0be7253c0f7439184ede19 |
| SHA1 | 75c4c2de0abbab955ffdbd3b80750fd6c59db410 |
| SHA256 | f1626970f2bb7e4521b5ee25f917d7b32be0fc24c531149f93a9207586a2aa2b |
| SHA512 | 429cca6b0ec71446101717c5e164fc028e3f3b7f57e01d23ccae5d8865d0db11db9aeac202b02125d5af0ef0be99bec1574beb5cd3d52b2dd8618e0d26143c4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Harassment
| MD5 | b5bb3d9ed2e6d7354c5725b9667fa6e8 |
| SHA1 | 3742b76d1cad7ad7d6c5c52b444951f7d6830d68 |
| SHA256 | f94a7a0952b8929d4b6d4c3af214ad4e50df119a126950263585721ad2a4a9e9 |
| SHA512 | 426bb2323ab1faeaa6181242b9df0191c153a95b5c1376fbcb1e0b32b68b6cd7ef0d3ae1de17132eb444704d0fcad126796a99164ce132f18777f54563667a0f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bios
| MD5 | 3826c7267e6a33cf0a5caf693ff35467 |
| SHA1 | eccec823ab4020e55d96c038e2d4d14042b36b37 |
| SHA256 | aaa85412f35cbe97f7c02cd2cf4d8c019ac97ac89c3642915dfa9099027b7472 |
| SHA512 | c16705362793d591b3f79fd5ea657cd547797d43e1b0a4f703a7d3108e84f3b91b5a613b589f4ebeb6e5b4c55b33f66c003959226b33b4f7f2f2a842e4449f6e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Burst
| MD5 | bab73e006009d7a5625e672db9ccd5db |
| SHA1 | eeb7561ab415280608b9e9484d31eb23768150a5 |
| SHA256 | 3180abd2fb794069731125550ea3e0a6eb71084494a9aef3388699d1df2948c2 |
| SHA512 | 56e84a6ec40deef4c377191df32090d3cc783630814aecf3585b13c7a6320d5330320246f5bb8424619d5dba16763365d4eab9bc9c39b41512571408d0feef21 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toolbox
| MD5 | f5f71d9e2109265bd186ec56ad0dc430 |
| SHA1 | 3dba226bab4a0d6eb5347d575c4c8d40179ed048 |
| SHA256 | f984a61ef127393597b49d46df0ec3482880570c871ccdcacfe329e17c04e6fc |
| SHA512 | 1abf749a7b236617f3b26bf58b1fd8d7d4347e73dd3b4494c6b3c338af1dee943559af3f5dac3c748dec3c166d78d6056de188dd4c77434c8c7d8c8ad592f677 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif
| MD5 | 6ee7ddebff0a2b78c7ac30f6e00d1d11 |
| SHA1 | f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2 |
| SHA256 | 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4 |
| SHA512 | 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\R
| MD5 | 082fc64ab12fe5617c2d1c39e47087e8 |
| SHA1 | b2cb6d76b71c901c9b08442c53b3d703ebfeea90 |
| SHA256 | d59d26bd3c8b5180f0edafce17cecf6c4bc1ceb313454d8f89e06faa74451ccb |
| SHA512 | 4dc0e23d2302e354ed39d754a6ef71110d8f02cc5bb7d120be6785e8980c79dc1f963b8a524fcf19d77b870a624da08ab53cb2edb7f6516e96f09565f56ffa70 |
memory/4912-49-0x0000000001370000-0x00000000013E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/4912-52-0x0000000005790000-0x000000000586C000-memory.dmp
memory/4912-53-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-60-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-58-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-56-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-114-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-112-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-110-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-106-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-104-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-98-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-93-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-84-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-82-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-80-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-78-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-76-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-75-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-70-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-68-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-66-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-64-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-54-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-109-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-103-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-101-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-97-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-95-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-91-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-88-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-86-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-72-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-62-0x0000000005790000-0x0000000005867000-memory.dmp
memory/4912-6337-0x0000000005910000-0x0000000005976000-memory.dmp
memory/5412-6340-0x0000000006AA0000-0x0000000006AD6000-memory.dmp
memory/5412-6341-0x0000000007180000-0x00000000077A8000-memory.dmp
memory/5412-6342-0x00000000070B0000-0x00000000070D2000-memory.dmp
memory/5412-6343-0x00000000077B0000-0x0000000007816000-memory.dmp
memory/5412-6344-0x0000000007B20000-0x0000000007E70000-memory.dmp
memory/5412-6345-0x0000000007AF0000-0x0000000007B0C000-memory.dmp
memory/5412-6346-0x0000000007FC0000-0x000000000800B000-memory.dmp
memory/5412-6347-0x0000000008240000-0x00000000082B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jqpjuno.tbs.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/5412-6362-0x0000000009380000-0x0000000009414000-memory.dmp
memory/5412-6363-0x0000000009060000-0x000000000907A000-memory.dmp
memory/5412-6364-0x00000000090E0000-0x0000000009102000-memory.dmp
memory/5412-6365-0x0000000009920000-0x0000000009E1E000-memory.dmp
C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js
| MD5 | 08c46f30149d351c591e9b3b70c9a64e |
| SHA1 | 9b63b98f4329107da1de8a049fa3cbec850b863f |
| SHA256 | 044c9d43801a15f6e8f8a36a77bc71a60f56abd4204e17e15f19be9c2fc2c006 |
| SHA512 | 5ae51bacfe960d71845901b7a293f8f6cea23ee7cd7c854f13a85b5ea17f1d4633a27111dc29d94e13d29e48aa5c6813e53f8405db80dbcf0344d6bdd1050238 |