Malware Analysis Report

2024-10-24 17:01

Sample ID 230223-tzbzysge48
Target 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe
SHA256 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff
Tags
hzrat backdoor upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff

Threat Level: Known bad

The file 9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe was found to be: Known bad.

Malicious Activity Summary

hzrat backdoor upx

Detects HZRAT backdoor

HZRAT

Checks computer location settings

Loads dropped DLL

UPX packed file

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-23 16:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-23 16:29

Reported

2023-02-23 16:31

Platform

win7-20230220-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"

Signatures

Detects HZRAT backdoor

Description Indicator Process Target
N/A N/A N/A N/A

HZRAT

backdoor hzrat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1976 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 268 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 1308 wrote to memory of 1440 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe
PID 268 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe

"C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"

C:\Windows\SysWOW64\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\install.vbs 城管自动追呼系统V8.6_8.exe default.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K 城管自动追呼系统V8.6_8.exe & exit

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

"C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

城管自动追呼系统V8.6_8.exe

Network

Country Destination Domain Proto
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\install.vbs

MD5 90a1ba69792dcb304a28a848a44c60b9
SHA1 7cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256 f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA512 1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

C:\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

\Users\Admin\AppData\Local\Temp\7zS8B761C0C\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

memory/1468-73-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-74-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-75-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-77-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-79-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-81-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-83-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-85-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-87-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-89-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-91-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-93-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-95-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-97-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-99-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-101-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-103-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-105-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-107-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-109-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-111-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-113-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-115-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1468-116-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1440-117-0x0000000000400000-0x00000000004B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-23 16:29

Reported

2023-02-23 16:31

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"

Signatures

Detects HZRAT backdoor

Description Indicator Process Target
N/A N/A N/A N/A

HZRAT

backdoor hzrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 5020 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe C:\Windows\SysWOW64\wscript.exe
PID 3896 wrote to memory of 4736 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 4736 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 4736 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe
PID 3896 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe
PID 3896 wrote to memory of 1180 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe
PID 4736 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe
PID 4736 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe
PID 4736 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe

"C:\Users\Admin\AppData\Local\Temp\9807bdffa7bc59d5355227522db539d9fa80791ba0e23bdbfbbd076b64f15eff.exe"

C:\Windows\SysWOW64\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\install.vbs 城管自动追呼系统V8.6_8.exe default.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /K 城管自动追呼系统V8.6_8.exe & exit

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe

城管自动追呼系统V8.6_8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe"

Network

Country Destination Domain Proto
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
N/A 172.16.80.22:8081 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp
N/A 172.16.80.22:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\install.vbs

MD5 90a1ba69792dcb304a28a848a44c60b9
SHA1 7cda38f0a65d27769d51bc753b54ebfddf6cd623
SHA256 f1e4c02163e3e66f493c784d9b1301de6e53bf4bcffa02a84931f3682fcfdc20
SHA512 1a770f3ea7d3ccf3deba7c8a93d9dbd054da2c3b6854224f14e9c81a4fc083fd63e36af602e4be9b65074495f427522bee7b83545d281770dc95ca44ba552f71

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\default.exe

MD5 b7e2a2bc66eff2194fe89c3b39492725
SHA1 3dd67cf891ca0ab0ddcb21f352b6b82c7189a5db
SHA256 1da10fa2615093bd3cff95c69b8ccaa796ec0ecd6192357e90bc7d26c0f2e4b0
SHA512 bdc5b7649060cda02cf74ac1a13c6770798ca5068a735c1e523a29e328b081c447a6468efb3e0b9ed18b3e3f172fca219bad021d1c84208d8513ba46cb7c8854

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

C:\Users\Admin\AppData\Local\Temp\7zSC93D67B6\城管自动追呼系统V8.6_8.exe

MD5 3dbbf5c43df2b3a6ca03fff37ec0ba94
SHA1 cc3e2bbaa0c498b4952763a2565ca9c0fe65f8eb
SHA256 5aba0e6886f8bffdfe6b261ad84be78db8a48e188eb8baeb788980456f183dce
SHA512 aab09928c4aeb223bd02240b9ec97789f2507b4f427574fb8c5f1dc13d831e7bd32f1b42b3a4effeb973ac7d3c76f98057a383d9dc4c7fbd0e2ff959e8eece7a

memory/1564-145-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-146-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-147-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-149-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-151-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-153-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-155-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-157-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-159-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-161-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-163-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-165-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-167-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-169-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-171-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-173-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-175-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-177-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-179-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-181-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-183-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-185-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-187-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1564-188-0x0000000010000000-0x000000001003D000-memory.dmp

memory/1180-189-0x0000000000400000-0x00000000004B4000-memory.dmp