Malware Analysis Report

2025-06-15 21:51

Sample ID 240501-2jwy7abf54
Target 1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990
SHA256 1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990
Tags
zgrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990

Threat Level: Known bad

The file 1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990 was found to be: Known bad.

Malicious Activity Summary

zgrat persistence rat

Detect ZGRat V1

ZGRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Loads dropped DLL

Executes dropped EXE

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Creates scheduled task(s)

Enumerates processes with tasklist

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 22:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 22:37

Reported

2024-05-01 22:42

Platform

win7-20231129-en

Max time kernel

283s

Max time network

293s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1468 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif
PID 1468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif
PID 1468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif
PID 1468 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif
PID 1468 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1468 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1468 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1468 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2572 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1648 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 2572 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe
PID 1948 wrote to memory of 7640 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 7640 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1948 wrote to memory of 7640 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe

"C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Fancy Fancy.cmd && Fancy.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 1121

C:\Windows\SysWOW64\findstr.exe

findstr /V "LightsListingConnectivityDown" Replica

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Effect + Competition + Ict + Believe + Harassment + Bios + Burst + Toolbox 1121\R

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif

1121\Pension.pif 1121\R

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm' -Value '"C:\Users\Admin\AppData\Roaming\RegAsm.exe"' -PropertyType 'String'

C:\Windows\system32\taskeng.exe

taskeng.exe {A0CCD4C4-2F1B-4CE9-9D4A-45BC32E45985} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Windows\system32\wscript.EXE

C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js"

C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif

"C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif" "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\T"

Network

Country Destination Domain Proto
US 8.8.8.8:53 OCRshnWqAOfKySsWABvf.OCRshnWqAOfKySsWABvf udp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fancy

MD5 a7e06544f9ad7d58c5705cf1874e03cb
SHA1 a8fff3c4f688fc4f496058d2575115241c958d78
SHA256 bff5faf70466a49e899282fc84ec428790348d1b141dc3a98e46baa492ce58f2
SHA512 b0a165e5c60f8f7908080e055fc3f4a43d7773e84a9f6dfd2761f51a4663ffaafff08d3ebddbbc0c7b9a5bcb1d49026fe3713ae48fa223c1c96cb5511170f50d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Replica

MD5 cf00f4e9240c539bbf64a1c20def7263
SHA1 9aa53cc59aaa7580a85c36a50659759683074568
SHA256 b90e8420622d3497b0e95496dff0c5f9ca72242aa8ae846d2f71ae85c97bf3c3
SHA512 2049857847148a83d295c6cd9485e3dbcb6cc165ac909fb1011e5b9fba78e2afbc1764b0bc06d0eba616080262248e6788cac115d7338e31179a3b4e1097b9a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rewards

MD5 00335905a2a89de13de6c2421575eee3
SHA1 e472af8bbc0ae7729c3a298d87721ae3f079de0e
SHA256 a5a998f37aaad218f989da68e0912fa7661340884b1a421f96e74204e915e87d
SHA512 85e9e5d774284298bab638330831ccd504f617064307548dc917d290482e9c09612493bb6a696b0f25cd45d885591804d33f978c617fa88dfd8b5530b77c088b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Heater

MD5 6007a8ca0455cf69278da9b4b6cb9a12
SHA1 27084504d3c62f1a20ec1b6602327e7def4546fb
SHA256 7d282ee47798d0a129c2961079d94cbebc9940bcbb4d5a39fe464fefc10accf7
SHA512 f5c9c5f9f556807109ab30dd8373b627034fab72e4f397bb86fa6128fb00223bd4ce4554e97d72fc448643c6798fa45c9291c5c98ca233448cac2aea4203531f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Julie

MD5 88f4d8dbbf1686993d6bbfe5cafc7bec
SHA1 a91f8cfdba4fcc5b13404a20d83e6f2971b9dda7
SHA256 58967b46f82093849e3236b019212c4c7e24b1585e46f5549dcad9ff03eb1a84
SHA512 0895da59e9049ec87db8f41e806b36bf2cb248cf522f0ae3114774ff020b68a1093db4c0dfcb3f7b8c19752ec4d80a4f48dab5ab092a7c90dfadcc5c36a6f45f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wiring

MD5 c186c5f5e43b21e22648d604b76b8742
SHA1 fcc8ea3bea77b4d3d8d61703429d4950f57967ad
SHA256 fd5195e8e4d850db2e81763debed0c70e0dede4ee7667d1540197016dcb8ab6c
SHA512 e692ad7588b5976abb6f96061dd134ea9a66b74afefe506da35cb9e7d33be77887c912824dc99ca850a86ed6bf27c00cfb19bbd6ab900091da30742f4ab5507b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Historical

MD5 8846c829752abfd71bbe95f4ee589929
SHA1 18fa430e7d3a520c20bc5ba1361eec701031924c
SHA256 92421a7f7a3b71741f311e57668ec22c1939a4195a066d3cbc6217d7a1b1d5bd
SHA512 3b41b1d3a43df6d873ba826c51a2c421166eeb84749bbd123340caa280a23468f5468e778e02ab73a7565dcef13955748ac5b5a13791e72f5ef6a641d13544f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cumshots

MD5 6c623f377545d7205643ccd91755c153
SHA1 be36fe56d62c76b98507e74350a6914d327de2fd
SHA256 25973305f172e577eecf44115e1d474144a206620458592eee2ad262e4337e9b
SHA512 48ed4b6bacdf8ee9975a47d80f51e93d6f148f4a3864fbc5b9b1b0ee6ff157f79d790d961b93f7efdab9384df23afd065b2f0b8ce772f78d6cfab38ed99a6e23

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Threatening

MD5 6804de931c9eb4b3d459ab030cda55ce
SHA1 182fc850106e372587039ff82aaac9386b0cf7d1
SHA256 9a4b7f50afe7000d7babae1ec667117a56ee84859642ed80d5a0ab2222d6fd25
SHA512 af91378384e50990aa38304719a524af0786c7a9df0ae802854ebc094e4482d7d3045ab21a1d1d19bf01a585e5922e183c765dd0f37b0726f0cd5f1d56ab73c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Effect

MD5 662fde8634083a5a8a69e1e234858975
SHA1 b3c7b309ac3acd5f1eb2d5f03b58fc291be9a09c
SHA256 94fea62ec238e1035e6e728c2d3508166b5fa0bab4a43758de5bcc7db73b0bfb
SHA512 6304ed20d7b535e9dbccd5421059b305c53fb7a2d7975d57f181355927baead267f14bb3467959ee4ddf58de19bc992ef9c4a6d174705114d3a5ff65ad290a8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Competition

MD5 091aae3bd1f07f9e174f53c654c6ed3d
SHA1 68c2da6fca30e5c65f1b286ccf132a6ae7aa71be
SHA256 df762e720c90c439eb5a1ca9af2c6e71bdcc2176bc5678652aea14a01c1d8871
SHA512 63b5280c48ede31e6b1deefa04c88430bc7a322416bcea309a4a03255548a90126a9a27fe1204d18c14844bc758b622ed2f3b932c3b67b982f1d9ff2adb58382

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ict

MD5 dbc4328fcde80bcda7e50313566525cd
SHA1 fe7b8321ae72c5c5148197cf48e8bc986b4f6f3c
SHA256 efe093a2edd597859c6aee6da0b862ff9a75d54cd4b3d0492f7cdf63128a5e85
SHA512 c6f0d8cecfbc7ef137899a8b0512e6efb9bc5f92844845e5744624aa78c2de1f57622c5f43cdd09f1a8cb75ef51fdb70023226c816fccf32777fd5be2e3fe875

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Believe

MD5 84b8963d6e0be7253c0f7439184ede19
SHA1 75c4c2de0abbab955ffdbd3b80750fd6c59db410
SHA256 f1626970f2bb7e4521b5ee25f917d7b32be0fc24c531149f93a9207586a2aa2b
SHA512 429cca6b0ec71446101717c5e164fc028e3f3b7f57e01d23ccae5d8865d0db11db9aeac202b02125d5af0ef0be99bec1574beb5cd3d52b2dd8618e0d26143c4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Harassment

MD5 b5bb3d9ed2e6d7354c5725b9667fa6e8
SHA1 3742b76d1cad7ad7d6c5c52b444951f7d6830d68
SHA256 f94a7a0952b8929d4b6d4c3af214ad4e50df119a126950263585721ad2a4a9e9
SHA512 426bb2323ab1faeaa6181242b9df0191c153a95b5c1376fbcb1e0b32b68b6cd7ef0d3ae1de17132eb444704d0fcad126796a99164ce132f18777f54563667a0f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bios

MD5 3826c7267e6a33cf0a5caf693ff35467
SHA1 eccec823ab4020e55d96c038e2d4d14042b36b37
SHA256 aaa85412f35cbe97f7c02cd2cf4d8c019ac97ac89c3642915dfa9099027b7472
SHA512 c16705362793d591b3f79fd5ea657cd547797d43e1b0a4f703a7d3108e84f3b91b5a613b589f4ebeb6e5b4c55b33f66c003959226b33b4f7f2f2a842e4449f6e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Burst

MD5 bab73e006009d7a5625e672db9ccd5db
SHA1 eeb7561ab415280608b9e9484d31eb23768150a5
SHA256 3180abd2fb794069731125550ea3e0a6eb71084494a9aef3388699d1df2948c2
SHA512 56e84a6ec40deef4c377191df32090d3cc783630814aecf3585b13c7a6320d5330320246f5bb8424619d5dba16763365d4eab9bc9c39b41512571408d0feef21

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Toolbox

MD5 f5f71d9e2109265bd186ec56ad0dc430
SHA1 3dba226bab4a0d6eb5347d575c4c8d40179ed048
SHA256 f984a61ef127393597b49d46df0ec3482880570c871ccdcacfe329e17c04e6fc
SHA512 1abf749a7b236617f3b26bf58b1fd8d7d4347e73dd3b4494c6b3c338af1dee943559af3f5dac3c748dec3c166d78d6056de188dd4c77434c8c7d8c8ad592f677

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\Pension.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\R

MD5 082fc64ab12fe5617c2d1c39e47087e8
SHA1 b2cb6d76b71c901c9b08442c53b3d703ebfeea90
SHA256 d59d26bd3c8b5180f0edafce17cecf6c4bc1ceb313454d8f89e06faa74451ccb
SHA512 4dc0e23d2302e354ed39d754a6ef71110d8f02cc5bb7d120be6785e8980c79dc1f963b8a524fcf19d77b870a624da08ab53cb2edb7f6516e96f09565f56ffa70

\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1121\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/1948-53-0x0000000000130000-0x00000000001A4000-memory.dmp

memory/1948-55-0x0000000000130000-0x00000000001A4000-memory.dmp

memory/1948-56-0x0000000000130000-0x00000000001A4000-memory.dmp

memory/1948-59-0x0000000004E40000-0x0000000004F1C000-memory.dmp

memory/1948-67-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-60-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-61-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-63-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-65-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-87-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-97-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-99-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-103-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-105-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-109-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-115-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-117-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-119-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-113-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-111-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-107-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-101-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-95-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-93-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-91-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-89-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-85-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-83-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-82-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-79-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-77-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-75-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-73-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-71-0x0000000004E40000-0x0000000004F17000-memory.dmp

memory/1948-69-0x0000000004E40000-0x0000000004F17000-memory.dmp

C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js

MD5 08c46f30149d351c591e9b3b70c9a64e
SHA1 9b63b98f4329107da1de8a049fa3cbec850b863f
SHA256 044c9d43801a15f6e8f8a36a77bc71a60f56abd4204e17e15f19be9c2fc2c006
SHA512 5ae51bacfe960d71845901b7a293f8f6cea23ee7cd7c854f13a85b5ea17f1d4633a27111dc29d94e13d29e48aa5c6813e53f8405db80dbcf0344d6bdd1050238

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 22:37

Reported

2024-05-01 22:42

Platform

win10-20240404-en

Max time kernel

292s

Max time network

301s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegAsm = "C:\\Users\\Admin\\AppData\\Roaming\\RegAsm.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4584 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4584 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4584 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 3704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4584 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4584 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4584 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4584 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif
PID 4584 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif
PID 4584 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif
PID 4584 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4584 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4584 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4508 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 4508 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4464 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4508 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
PID 4508 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
PID 4508 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
PID 4508 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
PID 4508 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe
PID 4912 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4912 wrote to memory of 5412 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 3828 N/A \??\c:\windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif
PID 1856 wrote to memory of 3828 N/A \??\c:\windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif
PID 1856 wrote to memory of 3828 N/A \??\c:\windows\system32\wscript.EXE C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe

"C:\Users\Admin\AppData\Local\Temp\1b672526eaef5bdddfcb1516db739a86d6c5a916f65a673bd9628a33d138a990.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Fancy Fancy.cmd && Fancy.cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 1151

C:\Windows\SysWOW64\findstr.exe

findstr /V "LightsListingConnectivityDown" Replica

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Effect + Competition + Ict + Believe + Harassment + Bios + Burst + Toolbox 1151\R

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif

1151\Pension.pif 1151\R

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftCraft.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Ecology" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RegAsm' -Value '"C:\Users\Admin\AppData\Roaming\RegAsm.exe"' -PropertyType 'String'

\??\c:\windows\system32\wscript.EXE

c:\windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js"

C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif

"C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.pif" "C:\Users\Admin\AppData\Local\SwiftCraft Solutions\T"

Network

Country Destination Domain Proto
US 8.8.8.8:53 OCRshnWqAOfKySsWABvf.OCRshnWqAOfKySsWABvf udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
NL 91.92.248.41:56003 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp
NL 91.92.248.41:56002 tcp
NL 91.92.248.41:56003 tcp
NL 91.92.248.41:56001 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fancy

MD5 a7e06544f9ad7d58c5705cf1874e03cb
SHA1 a8fff3c4f688fc4f496058d2575115241c958d78
SHA256 bff5faf70466a49e899282fc84ec428790348d1b141dc3a98e46baa492ce58f2
SHA512 b0a165e5c60f8f7908080e055fc3f4a43d7773e84a9f6dfd2761f51a4663ffaafff08d3ebddbbc0c7b9a5bcb1d49026fe3713ae48fa223c1c96cb5511170f50d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Replica

MD5 cf00f4e9240c539bbf64a1c20def7263
SHA1 9aa53cc59aaa7580a85c36a50659759683074568
SHA256 b90e8420622d3497b0e95496dff0c5f9ca72242aa8ae846d2f71ae85c97bf3c3
SHA512 2049857847148a83d295c6cd9485e3dbcb6cc165ac909fb1011e5b9fba78e2afbc1764b0bc06d0eba616080262248e6788cac115d7338e31179a3b4e1097b9a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Heater

MD5 6007a8ca0455cf69278da9b4b6cb9a12
SHA1 27084504d3c62f1a20ec1b6602327e7def4546fb
SHA256 7d282ee47798d0a129c2961079d94cbebc9940bcbb4d5a39fe464fefc10accf7
SHA512 f5c9c5f9f556807109ab30dd8373b627034fab72e4f397bb86fa6128fb00223bd4ce4554e97d72fc448643c6798fa45c9291c5c98ca233448cac2aea4203531f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rewards

MD5 00335905a2a89de13de6c2421575eee3
SHA1 e472af8bbc0ae7729c3a298d87721ae3f079de0e
SHA256 a5a998f37aaad218f989da68e0912fa7661340884b1a421f96e74204e915e87d
SHA512 85e9e5d774284298bab638330831ccd504f617064307548dc917d290482e9c09612493bb6a696b0f25cd45d885591804d33f978c617fa88dfd8b5530b77c088b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Julie

MD5 88f4d8dbbf1686993d6bbfe5cafc7bec
SHA1 a91f8cfdba4fcc5b13404a20d83e6f2971b9dda7
SHA256 58967b46f82093849e3236b019212c4c7e24b1585e46f5549dcad9ff03eb1a84
SHA512 0895da59e9049ec87db8f41e806b36bf2cb248cf522f0ae3114774ff020b68a1093db4c0dfcb3f7b8c19752ec4d80a4f48dab5ab092a7c90dfadcc5c36a6f45f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Historical

MD5 8846c829752abfd71bbe95f4ee589929
SHA1 18fa430e7d3a520c20bc5ba1361eec701031924c
SHA256 92421a7f7a3b71741f311e57668ec22c1939a4195a066d3cbc6217d7a1b1d5bd
SHA512 3b41b1d3a43df6d873ba826c51a2c421166eeb84749bbd123340caa280a23468f5468e778e02ab73a7565dcef13955748ac5b5a13791e72f5ef6a641d13544f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wiring

MD5 c186c5f5e43b21e22648d604b76b8742
SHA1 fcc8ea3bea77b4d3d8d61703429d4950f57967ad
SHA256 fd5195e8e4d850db2e81763debed0c70e0dede4ee7667d1540197016dcb8ab6c
SHA512 e692ad7588b5976abb6f96061dd134ea9a66b74afefe506da35cb9e7d33be77887c912824dc99ca850a86ed6bf27c00cfb19bbd6ab900091da30742f4ab5507b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cumshots

MD5 6c623f377545d7205643ccd91755c153
SHA1 be36fe56d62c76b98507e74350a6914d327de2fd
SHA256 25973305f172e577eecf44115e1d474144a206620458592eee2ad262e4337e9b
SHA512 48ed4b6bacdf8ee9975a47d80f51e93d6f148f4a3864fbc5b9b1b0ee6ff157f79d790d961b93f7efdab9384df23afd065b2f0b8ce772f78d6cfab38ed99a6e23

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Threatening

MD5 6804de931c9eb4b3d459ab030cda55ce
SHA1 182fc850106e372587039ff82aaac9386b0cf7d1
SHA256 9a4b7f50afe7000d7babae1ec667117a56ee84859642ed80d5a0ab2222d6fd25
SHA512 af91378384e50990aa38304719a524af0786c7a9df0ae802854ebc094e4482d7d3045ab21a1d1d19bf01a585e5922e183c765dd0f37b0726f0cd5f1d56ab73c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Effect

MD5 662fde8634083a5a8a69e1e234858975
SHA1 b3c7b309ac3acd5f1eb2d5f03b58fc291be9a09c
SHA256 94fea62ec238e1035e6e728c2d3508166b5fa0bab4a43758de5bcc7db73b0bfb
SHA512 6304ed20d7b535e9dbccd5421059b305c53fb7a2d7975d57f181355927baead267f14bb3467959ee4ddf58de19bc992ef9c4a6d174705114d3a5ff65ad290a8b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Competition

MD5 091aae3bd1f07f9e174f53c654c6ed3d
SHA1 68c2da6fca30e5c65f1b286ccf132a6ae7aa71be
SHA256 df762e720c90c439eb5a1ca9af2c6e71bdcc2176bc5678652aea14a01c1d8871
SHA512 63b5280c48ede31e6b1deefa04c88430bc7a322416bcea309a4a03255548a90126a9a27fe1204d18c14844bc758b622ed2f3b932c3b67b982f1d9ff2adb58382

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ict

MD5 dbc4328fcde80bcda7e50313566525cd
SHA1 fe7b8321ae72c5c5148197cf48e8bc986b4f6f3c
SHA256 efe093a2edd597859c6aee6da0b862ff9a75d54cd4b3d0492f7cdf63128a5e85
SHA512 c6f0d8cecfbc7ef137899a8b0512e6efb9bc5f92844845e5744624aa78c2de1f57622c5f43cdd09f1a8cb75ef51fdb70023226c816fccf32777fd5be2e3fe875

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Believe

MD5 84b8963d6e0be7253c0f7439184ede19
SHA1 75c4c2de0abbab955ffdbd3b80750fd6c59db410
SHA256 f1626970f2bb7e4521b5ee25f917d7b32be0fc24c531149f93a9207586a2aa2b
SHA512 429cca6b0ec71446101717c5e164fc028e3f3b7f57e01d23ccae5d8865d0db11db9aeac202b02125d5af0ef0be99bec1574beb5cd3d52b2dd8618e0d26143c4b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Harassment

MD5 b5bb3d9ed2e6d7354c5725b9667fa6e8
SHA1 3742b76d1cad7ad7d6c5c52b444951f7d6830d68
SHA256 f94a7a0952b8929d4b6d4c3af214ad4e50df119a126950263585721ad2a4a9e9
SHA512 426bb2323ab1faeaa6181242b9df0191c153a95b5c1376fbcb1e0b32b68b6cd7ef0d3ae1de17132eb444704d0fcad126796a99164ce132f18777f54563667a0f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bios

MD5 3826c7267e6a33cf0a5caf693ff35467
SHA1 eccec823ab4020e55d96c038e2d4d14042b36b37
SHA256 aaa85412f35cbe97f7c02cd2cf4d8c019ac97ac89c3642915dfa9099027b7472
SHA512 c16705362793d591b3f79fd5ea657cd547797d43e1b0a4f703a7d3108e84f3b91b5a613b589f4ebeb6e5b4c55b33f66c003959226b33b4f7f2f2a842e4449f6e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Burst

MD5 bab73e006009d7a5625e672db9ccd5db
SHA1 eeb7561ab415280608b9e9484d31eb23768150a5
SHA256 3180abd2fb794069731125550ea3e0a6eb71084494a9aef3388699d1df2948c2
SHA512 56e84a6ec40deef4c377191df32090d3cc783630814aecf3585b13c7a6320d5330320246f5bb8424619d5dba16763365d4eab9bc9c39b41512571408d0feef21

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Toolbox

MD5 f5f71d9e2109265bd186ec56ad0dc430
SHA1 3dba226bab4a0d6eb5347d575c4c8d40179ed048
SHA256 f984a61ef127393597b49d46df0ec3482880570c871ccdcacfe329e17c04e6fc
SHA512 1abf749a7b236617f3b26bf58b1fd8d7d4347e73dd3b4494c6b3c338af1dee943559af3f5dac3c748dec3c166d78d6056de188dd4c77434c8c7d8c8ad592f677

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\Pension.pif

MD5 6ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1 f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256 865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA512 57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\R

MD5 082fc64ab12fe5617c2d1c39e47087e8
SHA1 b2cb6d76b71c901c9b08442c53b3d703ebfeea90
SHA256 d59d26bd3c8b5180f0edafce17cecf6c4bc1ceb313454d8f89e06faa74451ccb
SHA512 4dc0e23d2302e354ed39d754a6ef71110d8f02cc5bb7d120be6785e8980c79dc1f963b8a524fcf19d77b870a624da08ab53cb2edb7f6516e96f09565f56ffa70

memory/4912-49-0x0000000001370000-0x00000000013E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1151\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/4912-52-0x0000000005790000-0x000000000586C000-memory.dmp

memory/4912-53-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-60-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-58-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-56-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-114-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-112-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-110-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-106-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-104-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-98-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-93-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-84-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-82-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-80-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-78-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-76-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-75-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-70-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-68-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-66-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-64-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-54-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-109-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-103-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-101-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-97-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-95-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-91-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-88-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-86-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-72-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-62-0x0000000005790000-0x0000000005867000-memory.dmp

memory/4912-6337-0x0000000005910000-0x0000000005976000-memory.dmp

memory/5412-6340-0x0000000006AA0000-0x0000000006AD6000-memory.dmp

memory/5412-6341-0x0000000007180000-0x00000000077A8000-memory.dmp

memory/5412-6342-0x00000000070B0000-0x00000000070D2000-memory.dmp

memory/5412-6343-0x00000000077B0000-0x0000000007816000-memory.dmp

memory/5412-6344-0x0000000007B20000-0x0000000007E70000-memory.dmp

memory/5412-6345-0x0000000007AF0000-0x0000000007B0C000-memory.dmp

memory/5412-6346-0x0000000007FC0000-0x000000000800B000-memory.dmp

memory/5412-6347-0x0000000008240000-0x00000000082B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0jqpjuno.tbs.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5412-6362-0x0000000009380000-0x0000000009414000-memory.dmp

memory/5412-6363-0x0000000009060000-0x000000000907A000-memory.dmp

memory/5412-6364-0x00000000090E0000-0x0000000009102000-memory.dmp

memory/5412-6365-0x0000000009920000-0x0000000009E1E000-memory.dmp

C:\Users\Admin\AppData\Local\SwiftCraft Solutions\SwiftCraft.js

MD5 08c46f30149d351c591e9b3b70c9a64e
SHA1 9b63b98f4329107da1de8a049fa3cbec850b863f
SHA256 044c9d43801a15f6e8f8a36a77bc71a60f56abd4204e17e15f19be9c2fc2c006
SHA512 5ae51bacfe960d71845901b7a293f8f6cea23ee7cd7c854f13a85b5ea17f1d4633a27111dc29d94e13d29e48aa5c6813e53f8405db80dbcf0344d6bdd1050238