Analysis Overview
SHA256
fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52
Threat Level: Known bad
The file NEW2-P0-6768-67.js was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
WSHRAT
NanoCore
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
WSHRAT Payload
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-11-01 09:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-01 09:33
Reported
2021-11-01 09:35
Platform
win7-en-20211014
Max time kernel
147s
Max time network
150s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpqrs.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpqrs.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Roaming\cmdc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lpqrs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lpqrs.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\lpqrs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lpqrs.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wshsdk\python.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\wshsdk\python.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW2-P0-6768-67.js
C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
"C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lpqrs.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 572
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 568
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 572
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 568
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 580
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 576
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | newmoey2022.duckdns.org | udp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
| NL | 5.206.227.170:5001 | newmoey2022.duckdns.org | tcp |
Files
memory/920-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
| MD5 | acd33bd14ede9c9b8c9976aeb71c7b84 |
| SHA1 | 920376976654d43130b75be9e99e718f4439f055 |
| SHA256 | 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706 |
| SHA512 | 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd |
memory/920-57-0x0000000075BA1000-0x0000000075BA3000-memory.dmp
C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
| MD5 | acd33bd14ede9c9b8c9976aeb71c7b84 |
| SHA1 | 920376976654d43130b75be9e99e718f4439f055 |
| SHA256 | 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706 |
| SHA512 | 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd |
\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/748-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\etgir.ecs
| MD5 | 778e5f2719a093daf77a10ab46875601 |
| SHA1 | 6e03a030ef2c3ccf4394dfe394f51419ca6dd7b2 |
| SHA256 | 2eb55bbc594753982cd5673668f6e67486cd8b3229316e0265bec16028ea9a41 |
| SHA512 | 1d377ba6ae4798ba5b4369b1f705b6c14faa00e1f42f6eb63fa77cf7e31dc000fc1f9ef1cd2c19f54ad3927500bc117601286140e293b3f5e4bcf83834d05ca3 |
C:\Users\Admin\AppData\Roaming\18842794\dvotcvx.log
| MD5 | 59bdbfb6e20ad5b4a3bbeed9c62ed314 |
| SHA1 | 10132709b402441f9cc6f1021e9c3b61db01bed5 |
| SHA256 | e36a730afb689d00b52fa1a5278cd279125e677b3dfea1e6b099bcaaa58de454 |
| SHA512 | d577af5a61fcedd7a13b1834107aa720f21161ca4804f4f5bae1dff74782c19dee2b37d8cef9bae5f6886911054c76ec296abe2a90329e08937a9253cfe657da |
C:\Users\Admin\AppData\Roaming\18842794\gvblfm.ons
| MD5 | 85672907dd0d996e5071183992f0cfcc |
| SHA1 | b964fa305568e0a1c6650cbf757860e46fac03b6 |
| SHA256 | d26d9f25d12065a33c315d8a46e106b942670c06d44a68c5e87469c20a706e7e |
| SHA512 | afa4f1eb0a5b21b47ede1faf8f602eff83adb6e1e3122097b2f7e74eb324d5f7e5c05696636fa4737f6fdf6d8bfa656b76c190d03bc800ca9fb1baf39f72c1c0 |
memory/764-69-0x00000000002D0000-0x000000000094F000-memory.dmp
memory/764-70-0x00000000002D0000-0x000000000094F000-memory.dmp
memory/764-71-0x00000000003542DE-mapping.dmp
memory/764-72-0x00000000002D0000-0x000000000094F000-memory.dmp
memory/2020-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\lpqrs.vbs
| MD5 | 5658911b9b2d37c8af76d69894a71560 |
| SHA1 | 7a3c3c8aa612ad29bac588b7b7752e845f375c3e |
| SHA256 | 8a39adb54f4e23943516e8afed6fb5f37f0c8f07cee86b6870d019836d9f130b |
| SHA512 | bd720303a11b25d6f9452da075af3deff0e038eff65bc9b5a203f246f795f6662d7a001e3be5321ec5356c59629e0ec404bddd779afaf76efbc18fffff95ad47 |
memory/1380-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\run.vbs
| MD5 | 57c8cbab6e1d2f90603a38ab68154078 |
| SHA1 | 3609ff08ea685d07324510219634fba6656e7bed |
| SHA256 | dd70c564524aa0938eee48040462752357b2658ab3404c712444439907428bb9 |
| SHA512 | 135219d575fc5334bb01111d85f900ee501f5c0818a8215a00a7eea565a396e9a369c064bc91b1eb6ad2743e1a9b07300e5cfe5c5b990d5cf331f6380adbccf5 |
memory/328-81-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1760-84-0x0000000000420000-0x0000000000B5D000-memory.dmp
memory/1760-85-0x0000000000420000-0x0000000000B5D000-memory.dmp
memory/1760-86-0x00000000004A42DE-mapping.dmp
memory/1760-87-0x0000000000420000-0x0000000000B5D000-memory.dmp
memory/792-89-0x0000000000000000-mapping.dmp
memory/1904-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1460-92-0x0000000000000000-mapping.dmp
memory/1784-95-0x0000000000230000-0x00000000008FF000-memory.dmp
memory/1784-96-0x0000000000230000-0x00000000008FF000-memory.dmp
memory/1784-97-0x00000000002B42DE-mapping.dmp
memory/1784-98-0x0000000000230000-0x00000000008FF000-memory.dmp
memory/1668-100-0x0000000000000000-mapping.dmp
memory/1860-101-0x0000000000000000-mapping.dmp
memory/1500-103-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1192-106-0x0000000000370000-0x0000000000924000-memory.dmp
memory/1192-107-0x0000000000370000-0x0000000000924000-memory.dmp
memory/1192-108-0x00000000003F42DE-mapping.dmp
memory/1192-109-0x0000000000370000-0x0000000000924000-memory.dmp
memory/1148-111-0x0000000000000000-mapping.dmp
memory/1804-112-0x0000000000000000-mapping.dmp
memory/976-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/328-117-0x0000000000380000-0x00000000009CC000-memory.dmp
memory/328-119-0x00000000004042DE-mapping.dmp
memory/328-118-0x0000000000380000-0x00000000009CC000-memory.dmp
memory/328-120-0x0000000000380000-0x00000000009CC000-memory.dmp
memory/1960-122-0x0000000000000000-mapping.dmp
memory/1348-123-0x0000000000000000-mapping.dmp
memory/848-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1608-128-0x00000000003C0000-0x0000000000AF3000-memory.dmp
memory/1608-129-0x00000000003C0000-0x0000000000AF3000-memory.dmp
memory/1608-130-0x00000000004442DE-mapping.dmp
memory/1608-131-0x00000000003C0000-0x0000000000AF3000-memory.dmp
memory/324-133-0x0000000000000000-mapping.dmp
memory/1920-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1080-137-0x00000000003B0000-0x000000000087E000-memory.dmp
memory/1080-138-0x00000000003B0000-0x000000000087E000-memory.dmp
memory/1080-139-0x00000000004342DE-mapping.dmp
memory/1080-140-0x00000000003B0000-0x000000000087E000-memory.dmp
memory/1516-142-0x0000000000000000-mapping.dmp
memory/652-143-0x0000000000000000-mapping.dmp
memory/1692-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/408-148-0x0000000000350000-0x0000000000A33000-memory.dmp
memory/408-149-0x0000000000350000-0x0000000000A33000-memory.dmp
memory/408-150-0x00000000003D42DE-mapping.dmp
memory/408-151-0x0000000000350000-0x0000000000A33000-memory.dmp
memory/1432-153-0x0000000000000000-mapping.dmp
memory/1380-154-0x0000000000000000-mapping.dmp
memory/748-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1084-159-0x0000000000350000-0x00000000008FC000-memory.dmp
memory/1084-160-0x0000000000350000-0x00000000008FC000-memory.dmp
memory/1084-161-0x00000000003D42DE-mapping.dmp
memory/1084-162-0x0000000000350000-0x00000000008FC000-memory.dmp
memory/792-164-0x0000000000000000-mapping.dmp
memory/816-165-0x0000000000000000-mapping.dmp
memory/1948-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2004-170-0x0000000000430000-0x0000000000AE1000-memory.dmp
memory/2004-171-0x0000000000430000-0x0000000000AE1000-memory.dmp
memory/2004-172-0x00000000004B42DE-mapping.dmp
memory/2004-173-0x0000000000430000-0x0000000000AE1000-memory.dmp
memory/1596-175-0x0000000000000000-mapping.dmp
memory/1600-176-0x0000000000000000-mapping.dmp
memory/1784-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2012-182-0x0000000000000000-mapping.dmp
memory/1760-183-0x0000000000310000-0x00000000009EE000-memory.dmp
memory/1760-181-0x0000000000310000-0x00000000009EE000-memory.dmp
memory/1760-184-0x00000000003942DE-mapping.dmp
memory/1192-187-0x0000000000000000-mapping.dmp
memory/1228-189-0x0000000000000000-mapping.dmp
memory/1736-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/2012-194-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2012-195-0x00000000001C1000-0x00000000001C2000-memory.dmp
memory/2012-196-0x00000000001C2000-0x00000000001C4000-memory.dmp
memory/1712-199-0x00000000003742DE-mapping.dmp
memory/1080-202-0x0000000000000000-mapping.dmp
memory/2016-203-0x0000000000000000-mapping.dmp
memory/1096-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |
memory/1528-210-0x00000000003842DE-mapping.dmp
memory/408-213-0x0000000000000000-mapping.dmp
memory/1440-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
memory/764-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
\Users\Admin\AppData\Roaming\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 0d1aa99ed8069ba73cfd74b0fddc7b3a |
| SHA1 | ba1f5384072df8af5743f81fd02c98773b5ed147 |
| SHA256 | 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1 |
| SHA512 | 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 0d1aa99ed8069ba73cfd74b0fddc7b3a |
| SHA1 | ba1f5384072df8af5743f81fd02c98773b5ed147 |
| SHA256 | 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1 |
| SHA512 | 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
| MD5 | e479444bdd4ae4577fd32314a68f5d28 |
| SHA1 | 77edf9509a252e886d4da388bf9c9294d95498eb |
| SHA256 | c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719 |
| SHA512 | 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
| MD5 | e479444bdd4ae4577fd32314a68f5d28 |
| SHA1 | 77edf9509a252e886d4da388bf9c9294d95498eb |
| SHA256 | c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719 |
| SHA512 | 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | babf80608fd68a09656871ec8597296c |
| SHA1 | 33952578924b0376ca4ae6a10b8d4ed749d10688 |
| SHA256 | 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca |
| SHA512 | 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | babf80608fd68a09656871ec8597296c |
| SHA1 | 33952578924b0376ca4ae6a10b8d4ed749d10688 |
| SHA256 | 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca |
| SHA512 | 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
| MD5 | e2f648ae40d234a3892e1455b4dbbe05 |
| SHA1 | d9d750e828b629cfb7b402a3442947545d8d781b |
| SHA256 | c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03 |
| SHA512 | 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
| MD5 | e2f648ae40d234a3892e1455b4dbbe05 |
| SHA1 | d9d750e828b629cfb7b402a3442947545d8d781b |
| SHA256 | c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03 |
| SHA512 | 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d0289835d97d103bad0dd7b9637538a1 |
| SHA1 | 8ceebe1e9abb0044808122557de8aab28ad14575 |
| SHA256 | 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a |
| SHA512 | 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d0289835d97d103bad0dd7b9637538a1 |
| SHA1 | 8ceebe1e9abb0044808122557de8aab28ad14575 |
| SHA256 | 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a |
| SHA512 | 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
| MD5 | eff11130bfe0d9c90c0026bf2fb219ae |
| SHA1 | cf4c89a6e46090d3d8feeb9eb697aea8a26e4088 |
| SHA256 | 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97 |
| SHA512 | 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
| MD5 | eff11130bfe0d9c90c0026bf2fb219ae |
| SHA1 | cf4c89a6e46090d3d8feeb9eb697aea8a26e4088 |
| SHA256 | 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97 |
| SHA512 | 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add |
\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.dll
| MD5 | d6326267ae77655f312d2287903db4d3 |
| SHA1 | 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f |
| SHA256 | 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9 |
| SHA512 | 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4 |
C:\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.DLL
| MD5 | d6326267ae77655f312d2287903db4d3 |
| SHA1 | 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f |
| SHA256 | 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9 |
| SHA512 | 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
\Users\Admin\AppData\Roaming\wshsdk\vcruntime140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Roaming\wshsdk\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
memory/1464-255-0x0000000000000000-mapping.dmp
memory/1432-257-0x0000000000000000-mapping.dmp
memory/1932-261-0x00000000003742DE-mapping.dmp
memory/1948-264-0x0000000000000000-mapping.dmp
memory/520-265-0x0000000000000000-mapping.dmp
memory/1260-266-0x0000000000000000-mapping.dmp
memory/1696-267-0x0000000000000000-mapping.dmp
memory/1112-269-0x0000000000000000-mapping.dmp
memory/304-271-0x0000000000000000-mapping.dmp
memory/512-272-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-01 09:33
Reported
2021-11-01 09:35
Platform
win10-en-20210920
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3648 wrote to memory of 508 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe |
| PID 3648 wrote to memory of 508 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe |
| PID 3648 wrote to memory of 508 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe |
| PID 508 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif |
| PID 508 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif |
| PID 508 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe | C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW2-P0-6768-67.js
C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
"C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe"
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 40.119.148.38:123 | time.windows.com | udp |
Files
memory/508-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
| MD5 | acd33bd14ede9c9b8c9976aeb71c7b84 |
| SHA1 | 920376976654d43130b75be9e99e718f4439f055 |
| SHA256 | 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706 |
| SHA512 | 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd |
C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
| MD5 | acd33bd14ede9c9b8c9976aeb71c7b84 |
| SHA1 | 920376976654d43130b75be9e99e718f4439f055 |
| SHA256 | 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706 |
| SHA512 | 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd |
memory/1168-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
| MD5 | e1f85da023a9f5784e38a37c16c777e6 |
| SHA1 | 6623fe6bb1903311cfa96ebdcd25822bc4f221ef |
| SHA256 | f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162 |
| SHA512 | 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba |