Malware Analysis Report

2024-11-15 08:44

Sample ID 240510-br1n8sdh34
Target 437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831
SHA256 437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831
Tags
agenttesla zgrat keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831

Threat Level: Known bad

The file 437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831 was found to be: Known bad.

Malicious Activity Summary

agenttesla zgrat keylogger rat spyware stealer trojan

Detect ZGRat V1

ZGRat

AgentTesla

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:23

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:23

Reported

2024-05-10 01:26

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3380 set thread context of 3412 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1236 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1236 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1236 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
PID 1236 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
PID 1236 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
PID 732 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 732 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 732 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
PID 732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
PID 732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe
PID 3380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 6.160.77.104.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/1236-10-0x0000000003C30000-0x0000000003C34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\prophetesses

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\conged

MD5 75bac33d2f9686ca5a73c23c0499d3c7
SHA1 51cc3027dc9f25d9f8303de574133c0ef6226dba
SHA256 d0ad39e0760c18c0637a6ba84309295db9104a91e30bf13c1dffbb92c5da9ce7
SHA512 70a7d7dac136b1c6ea1f391470a01195319b60945550f9ab37c15b9e766e5f343f82489c8424d83f1d4fa1c8ddc09efc80e5e922b8d59a455ac7773232ef1520

C:\Users\Admin\AppData\Local\Temp\prophetesses

MD5 93f4871f51579b651ca84b1c08b19379
SHA1 bf43ce45181e41cb689bd89bc48548bee0f71221
SHA256 98136aa972cd8c40692b1d582c4191d2b2c5f610cba49a454469642ba7738900
SHA512 ffc120889e216ac9acce071ccdf78231debabaabb75ec1de23cb30518ef144aa7e6d2138f67f818d271994bd4f743c1d5ca89b4f9f35c3a301a6cada597d7402

C:\Users\Admin\AppData\Local\Temp\aut79B4.tmp

MD5 7bde5cead8dc88649fd9a646987d681b
SHA1 bac867ff6c74d0fc9e303a419856542a1e65fcf0
SHA256 85b581de960dc784124a8c937dae07c17412a0ca44fad8fc4a3554dee60a1b39
SHA512 6204008f3904271656452630be8a5bbc2e4871c68d9a11fe1505210da2187e932ab69e7950af6ab79fb0d4e90db989e2b303c081474518652df48f2747e0074b

C:\Users\Admin\AppData\Local\Temp\prophetesses

MD5 4e79f81a94866e0630f2ac3bea08b706
SHA1 c56d834ac8c8928c7291a2ea183bf1342bd3bee2
SHA256 501d2385a7f215159fa32727d8791a2b62e033ed336c327f6d5fc4fb7c09728a
SHA512 80bd22db86705e50b4b8395742945ae04e0055659e42182af966fab8a19f9b9dcacde77137fc5c2d7d6c50b7e1613256082f3caba8b08694281874d9f2152071

C:\Users\Admin\AppData\Local\Temp\aut79D4.tmp

MD5 c716019e0d264b1dadd72e704190699b
SHA1 3b922810e3981240b567baac1d7ae2082fbadb90
SHA256 138aae39695cc7715c5ceb2109f42a669480424179a5487d053bd6b8ec8beaa1
SHA512 30b2ac411506483244aae97d8ee971c001ad4465edc3a8255c00923e0be0092976a3e2752568d3240a4354807753c0e29a8901a2b71c3c6acf0a334c5b1bfca4

memory/3412-35-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3412-37-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3412-38-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3412-36-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3412-39-0x00000000056D0000-0x0000000005724000-memory.dmp

memory/3412-40-0x0000000005DE0000-0x0000000006384000-memory.dmp

memory/3412-41-0x0000000005760000-0x00000000057B2000-memory.dmp

memory/3412-51-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-97-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-91-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-85-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-77-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-59-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-53-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-49-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-47-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-45-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-43-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-42-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-101-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-99-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-95-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-93-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-89-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-87-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-83-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-82-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-79-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-75-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-74-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-71-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-69-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-67-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-65-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-63-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-61-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-57-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-56-0x0000000005760000-0x00000000057AD000-memory.dmp

memory/3412-1072-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/3412-1073-0x0000000006C90000-0x0000000006CE0000-memory.dmp

memory/3412-1074-0x0000000006D80000-0x0000000006E12000-memory.dmp

memory/3412-1075-0x0000000006CF0000-0x0000000006CFA000-memory.dmp

memory/3412-1076-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:23

Reported

2024-05-10 01:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2256 set thread context of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2256 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\437ead7b2bb32872480a15c9e391792b939d6feb944f45a756f3dc84d9168831.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp

Files

memory/2256-10-0x0000000000690000-0x0000000000694000-memory.dmp

memory/2364-11-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-13-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-15-0x000000007472E000-0x000000007472F000-memory.dmp

memory/2364-16-0x0000000001F70000-0x0000000001FC4000-memory.dmp

memory/2364-17-0x0000000002020000-0x0000000002072000-memory.dmp

memory/2364-18-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/2364-19-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/2364-20-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/2364-21-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-80-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-78-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-76-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-74-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-72-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-70-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-68-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-66-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-64-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-62-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-60-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-58-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-56-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-54-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-52-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-50-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-48-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-46-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-44-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-42-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-40-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-38-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-36-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-34-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-32-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-30-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-28-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-26-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-24-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-22-0x0000000002020000-0x000000000206D000-memory.dmp

memory/2364-1051-0x0000000074720000-0x0000000074E0E000-memory.dmp

memory/2364-1052-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2364-1053-0x000000007472E000-0x000000007472F000-memory.dmp

memory/2364-1054-0x0000000074720000-0x0000000074E0E000-memory.dmp