Malware Analysis Report

2025-08-05 16:19

Sample ID 231023-trjptsab51
Target NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe
SHA256 0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898b
Tags
formbook ey16 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898b

Threat Level: Known bad

The file NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

formbook ey16 rat spyware stealer trojan

Formbook

Formbook payload

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-23 16:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-23 16:17

Reported

2023-10-23 16:21

Platform

win7-20231020-en

Max time kernel

150s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\raserver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1168 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1168 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1168 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1232 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1232 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1232 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 1232 wrote to memory of 564 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\raserver.exe
PID 564 wrote to memory of 2628 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2628 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2628 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe
PID 564 wrote to memory of 2628 N/A C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HQgFNd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HQgFNd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF151.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/1168-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/1168-0-0x0000000000CF0000-0x0000000000D94000-memory.dmp

memory/1168-2-0x0000000005050000-0x0000000005090000-memory.dmp

memory/1168-3-0x0000000000510000-0x0000000000528000-memory.dmp

memory/1168-4-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/1168-5-0x0000000005050000-0x0000000005090000-memory.dmp

memory/1168-6-0x0000000000480000-0x0000000000490000-memory.dmp

memory/1168-7-0x0000000005090000-0x00000000050FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF151.tmp

MD5 34228ce51b7ab202e733dc15a22b57d3
SHA1 fb8eb8b9fe01d5219e9d7f2f357de8ab54449663
SHA256 c95b5606d9573d67ed9f7aace0ba7f65f3528b9240a9ef9e8842e9c10fa28911
SHA512 980ddef85691d6c1011e28c461f04d8f041958927f65f8ad216cc4161eedb546a2ac81d84e964a1995da257b356c867189bc5ee726bee47d17e773384851c171

memory/2552-15-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2552-17-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2552-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2552-21-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2840-22-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/1168-23-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2840-24-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2840-25-0x0000000001E70000-0x0000000001EB0000-memory.dmp

memory/2552-26-0x0000000000860000-0x0000000000B63000-memory.dmp

memory/2840-27-0x0000000001E70000-0x0000000001EB0000-memory.dmp

memory/2840-29-0x000000006E3C0000-0x000000006E96B000-memory.dmp

memory/2552-30-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1232-31-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/2552-32-0x00000000001A0000-0x00000000001B5000-memory.dmp

memory/1232-33-0x0000000006600000-0x00000000066BA000-memory.dmp

memory/2552-36-0x00000000002F0000-0x0000000000305000-memory.dmp

memory/2552-35-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1232-37-0x0000000007150000-0x0000000007272000-memory.dmp

memory/1232-38-0x0000000006600000-0x00000000066BA000-memory.dmp

memory/564-39-0x0000000000CF0000-0x0000000000D0C000-memory.dmp

memory/564-40-0x0000000000CF0000-0x0000000000D0C000-memory.dmp

memory/564-41-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/564-42-0x0000000002110000-0x0000000002413000-memory.dmp

memory/1232-43-0x0000000007150000-0x0000000007272000-memory.dmp

memory/564-44-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/564-46-0x0000000000860000-0x00000000008F4000-memory.dmp

memory/1232-47-0x0000000009290000-0x00000000093FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-23 16:17

Reported

2023-10-23 16:22

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A
N/A N/A C:\Windows\SysWOW64\WWAHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WWAHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 700 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 700 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 700 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\SysWOW64\schtasks.exe
PID 700 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 700 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 700 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 700 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 700 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 700 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3204 wrote to memory of 3948 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3204 wrote to memory of 3948 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3204 wrote to memory of 3948 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\WWAHost.exe
PID 3948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4760 N/A C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.0f6bd3f07adcb52e4e0a94d3fcc307b0780cdcd2e02ff3640474cd32303b898bexe_JC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HQgFNd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HQgFNd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WWAHost.exe

"C:\Windows\SysWOW64\WWAHost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.trsmine.com udp
US 208.109.57.58:80 www.trsmine.com tcp
US 8.8.8.8:53 58.57.109.208.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.phons.info udp
US 8.8.8.8:53 www.birbakalim.fun udp
TR 93.89.226.17:80 www.birbakalim.fun tcp
US 8.8.8.8:53 17.226.89.93.in-addr.arpa udp

Files

memory/700-1-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/700-0-0x0000000000990000-0x0000000000A34000-memory.dmp

memory/700-2-0x0000000005A40000-0x0000000005FE4000-memory.dmp

memory/700-3-0x0000000005490000-0x0000000005522000-memory.dmp

memory/700-4-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/700-5-0x0000000005420000-0x000000000542A000-memory.dmp

memory/700-6-0x0000000005690000-0x00000000056A8000-memory.dmp

memory/700-7-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/700-8-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/700-9-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/700-10-0x0000000007EA0000-0x0000000007F0E000-memory.dmp

memory/700-11-0x000000000A5E0000-0x000000000A67C000-memory.dmp

memory/4976-16-0x0000000004D30000-0x0000000004D66000-memory.dmp

memory/4976-17-0x0000000075140000-0x00000000758F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp

MD5 86765daf23d59204f72d1f7816fd60fa
SHA1 9cdd046e95614bcc2b825dabb43a0125a526e70c
SHA256 1ce03266b8398e4789a1a0adc82c28e1bbf721824afe3d5b14abf0699f8668cf
SHA512 c2091074da5e3a585f5b8d1db4dcd649ccde86e660ab5c4878c4df8405afccd62d7ae89a2ccf0611506a1ecef7805d49c7c0cf92c04ce4f97b8b6b4c1a22d433

memory/4976-20-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4976-19-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/1512-21-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4976-22-0x00000000053A0000-0x00000000059C8000-memory.dmp

memory/700-24-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4976-25-0x00000000052E0000-0x0000000005302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uq42jslb.hkt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4976-31-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/4976-32-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/4976-37-0x0000000005E20000-0x0000000006174000-memory.dmp

memory/1512-38-0x0000000000FD0000-0x000000000131A000-memory.dmp

memory/1512-40-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1512-41-0x0000000000B00000-0x0000000000B15000-memory.dmp

memory/3204-42-0x0000000009120000-0x00000000091EE000-memory.dmp

memory/4976-43-0x0000000006340000-0x000000000635E000-memory.dmp

memory/4976-44-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/4976-45-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4976-46-0x0000000006910000-0x0000000006942000-memory.dmp

memory/4976-47-0x0000000071A00000-0x0000000071A4C000-memory.dmp

memory/4976-57-0x00000000068F0000-0x000000000690E000-memory.dmp

memory/4976-58-0x0000000007320000-0x00000000073C3000-memory.dmp

memory/4976-59-0x0000000007D30000-0x00000000083AA000-memory.dmp

memory/4976-60-0x0000000007440000-0x000000000745A000-memory.dmp

memory/4976-61-0x00000000076C0000-0x00000000076CA000-memory.dmp

memory/3948-62-0x00000000008F0000-0x00000000009CC000-memory.dmp

memory/3948-64-0x00000000008F0000-0x00000000009CC000-memory.dmp

memory/4976-65-0x00000000078D0000-0x0000000007966000-memory.dmp

memory/3948-67-0x0000000000810000-0x000000000083F000-memory.dmp

memory/4976-66-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/4976-68-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/4976-69-0x0000000007850000-0x0000000007861000-memory.dmp

memory/4976-70-0x0000000004D20000-0x0000000004D30000-memory.dmp

memory/3948-71-0x00000000018A0000-0x0000000001BEA000-memory.dmp

memory/4976-72-0x0000000007880000-0x000000000788E000-memory.dmp

memory/4976-73-0x0000000007890000-0x00000000078A4000-memory.dmp

memory/4976-74-0x0000000007990000-0x00000000079AA000-memory.dmp

memory/4976-75-0x0000000007970000-0x0000000007978000-memory.dmp

memory/4976-78-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/3948-79-0x0000000000810000-0x000000000083F000-memory.dmp

memory/3204-80-0x0000000009120000-0x00000000091EE000-memory.dmp

memory/3948-82-0x0000000001630000-0x00000000016C4000-memory.dmp

memory/3204-83-0x0000000008D60000-0x0000000008E87000-memory.dmp

memory/3204-84-0x0000000008D60000-0x0000000008E87000-memory.dmp

memory/3204-86-0x0000000008D60000-0x0000000008E87000-memory.dmp