Malware Analysis Report

2025-04-14 08:30

Sample ID 211101-lh8nlaebgj
Target NEW2-P0-6768-67.js
SHA256 fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52
Tags
nanocore wshrat collection keylogger persistence spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc15d03d19f3f1a41c48188d6c014ae3086b453c1380604e9cc5809d1747fd52

Threat Level: Known bad

The file NEW2-P0-6768-67.js was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat collection keylogger persistence spyware stealer suricata trojan

suricata: ET MALWARE WSHRAT CnC Checkin

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

WSHRAT

NanoCore

suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

WSHRAT Payload

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-01 09:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-01 09:33

Reported

2021-11-01 09:35

Platform

win7-en-20211014

Max time kernel

147s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW2-P0-6768-67.js

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpqrs.vbs C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpqrs.vbs C:\Windows\SysWOW64\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Roaming\cmdc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lpqrs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lpqrs.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\WerFault.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\lpqrs = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\lpqrs.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\18842794\\sbwfgsqs.pif C:\\Users\\Admin\\AppData\\Roaming\\18842794\\etgir.ecs" C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 748 set thread context of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 set thread context of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 set thread context of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1500 set thread context of 1192 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 976 set thread context of 328 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 848 set thread context of 1608 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1568 set thread context of 1080 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 set thread context of 408 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 set thread context of 1084 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1948 set thread context of 2004 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1784 set thread context of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1736 set thread context of 1712 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1096 set thread context of 1528 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1432 set thread context of 1932 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1112 set thread context of 1424 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2016 set thread context of 852 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1756 set thread context of 1480 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\wshsdk\python.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 920 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
PID 1588 wrote to memory of 920 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
PID 1588 wrote to memory of 920 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
PID 1588 wrote to memory of 920 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe
PID 920 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 920 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 920 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 920 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 748 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 764 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 764 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 764 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 764 wrote to memory of 2020 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 748 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 748 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 748 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 748 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 1380 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1380 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1380 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1380 wrote to memory of 328 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 328 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1760 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 328 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 328 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 328 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 328 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe
PID 1904 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1904 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1904 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1904 wrote to memory of 1460 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1460 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1784 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1784 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1784 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1784 wrote to memory of 1668 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\WerFault.exe
PID 1460 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif C:\Windows\SysWOW64\WScript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW2-P0-6768-67.js

C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe

"C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lpqrs.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 328 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 572

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 568

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 572

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 568

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 580

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 576

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\18842794\run.vbs"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 newmoey2022.duckdns.org udp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp
NL 5.206.227.170:5001 newmoey2022.duckdns.org tcp

Files

memory/920-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe

MD5 acd33bd14ede9c9b8c9976aeb71c7b84
SHA1 920376976654d43130b75be9e99e718f4439f055
SHA256 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706
SHA512 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd

memory/920-57-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe

MD5 acd33bd14ede9c9b8c9976aeb71c7b84
SHA1 920376976654d43130b75be9e99e718f4439f055
SHA256 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706
SHA512 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd

\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/748-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\etgir.ecs

MD5 778e5f2719a093daf77a10ab46875601
SHA1 6e03a030ef2c3ccf4394dfe394f51419ca6dd7b2
SHA256 2eb55bbc594753982cd5673668f6e67486cd8b3229316e0265bec16028ea9a41
SHA512 1d377ba6ae4798ba5b4369b1f705b6c14faa00e1f42f6eb63fa77cf7e31dc000fc1f9ef1cd2c19f54ad3927500bc117601286140e293b3f5e4bcf83834d05ca3

C:\Users\Admin\AppData\Roaming\18842794\dvotcvx.log

MD5 59bdbfb6e20ad5b4a3bbeed9c62ed314
SHA1 10132709b402441f9cc6f1021e9c3b61db01bed5
SHA256 e36a730afb689d00b52fa1a5278cd279125e677b3dfea1e6b099bcaaa58de454
SHA512 d577af5a61fcedd7a13b1834107aa720f21161ca4804f4f5bae1dff74782c19dee2b37d8cef9bae5f6886911054c76ec296abe2a90329e08937a9253cfe657da

C:\Users\Admin\AppData\Roaming\18842794\gvblfm.ons

MD5 85672907dd0d996e5071183992f0cfcc
SHA1 b964fa305568e0a1c6650cbf757860e46fac03b6
SHA256 d26d9f25d12065a33c315d8a46e106b942670c06d44a68c5e87469c20a706e7e
SHA512 afa4f1eb0a5b21b47ede1faf8f602eff83adb6e1e3122097b2f7e74eb324d5f7e5c05696636fa4737f6fdf6d8bfa656b76c190d03bc800ca9fb1baf39f72c1c0

memory/764-69-0x00000000002D0000-0x000000000094F000-memory.dmp

memory/764-70-0x00000000002D0000-0x000000000094F000-memory.dmp

memory/764-71-0x00000000003542DE-mapping.dmp

memory/764-72-0x00000000002D0000-0x000000000094F000-memory.dmp

memory/2020-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\lpqrs.vbs

MD5 5658911b9b2d37c8af76d69894a71560
SHA1 7a3c3c8aa612ad29bac588b7b7752e845f375c3e
SHA256 8a39adb54f4e23943516e8afed6fb5f37f0c8f07cee86b6870d019836d9f130b
SHA512 bd720303a11b25d6f9452da075af3deff0e038eff65bc9b5a203f246f795f6662d7a001e3be5321ec5356c59629e0ec404bddd779afaf76efbc18fffff95ad47

memory/1380-77-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\run.vbs

MD5 57c8cbab6e1d2f90603a38ab68154078
SHA1 3609ff08ea685d07324510219634fba6656e7bed
SHA256 dd70c564524aa0938eee48040462752357b2658ab3404c712444439907428bb9
SHA512 135219d575fc5334bb01111d85f900ee501f5c0818a8215a00a7eea565a396e9a369c064bc91b1eb6ad2743e1a9b07300e5cfe5c5b990d5cf331f6380adbccf5

memory/328-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1760-84-0x0000000000420000-0x0000000000B5D000-memory.dmp

memory/1760-85-0x0000000000420000-0x0000000000B5D000-memory.dmp

memory/1760-86-0x00000000004A42DE-mapping.dmp

memory/1760-87-0x0000000000420000-0x0000000000B5D000-memory.dmp

memory/792-89-0x0000000000000000-mapping.dmp

memory/1904-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1460-92-0x0000000000000000-mapping.dmp

memory/1784-95-0x0000000000230000-0x00000000008FF000-memory.dmp

memory/1784-96-0x0000000000230000-0x00000000008FF000-memory.dmp

memory/1784-97-0x00000000002B42DE-mapping.dmp

memory/1784-98-0x0000000000230000-0x00000000008FF000-memory.dmp

memory/1668-100-0x0000000000000000-mapping.dmp

memory/1860-101-0x0000000000000000-mapping.dmp

memory/1500-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1192-106-0x0000000000370000-0x0000000000924000-memory.dmp

memory/1192-107-0x0000000000370000-0x0000000000924000-memory.dmp

memory/1192-108-0x00000000003F42DE-mapping.dmp

memory/1192-109-0x0000000000370000-0x0000000000924000-memory.dmp

memory/1148-111-0x0000000000000000-mapping.dmp

memory/1804-112-0x0000000000000000-mapping.dmp

memory/976-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/328-117-0x0000000000380000-0x00000000009CC000-memory.dmp

memory/328-119-0x00000000004042DE-mapping.dmp

memory/328-118-0x0000000000380000-0x00000000009CC000-memory.dmp

memory/328-120-0x0000000000380000-0x00000000009CC000-memory.dmp

memory/1960-122-0x0000000000000000-mapping.dmp

memory/1348-123-0x0000000000000000-mapping.dmp

memory/848-125-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1608-128-0x00000000003C0000-0x0000000000AF3000-memory.dmp

memory/1608-129-0x00000000003C0000-0x0000000000AF3000-memory.dmp

memory/1608-130-0x00000000004442DE-mapping.dmp

memory/1608-131-0x00000000003C0000-0x0000000000AF3000-memory.dmp

memory/324-133-0x0000000000000000-mapping.dmp

memory/1920-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1080-137-0x00000000003B0000-0x000000000087E000-memory.dmp

memory/1080-138-0x00000000003B0000-0x000000000087E000-memory.dmp

memory/1080-139-0x00000000004342DE-mapping.dmp

memory/1080-140-0x00000000003B0000-0x000000000087E000-memory.dmp

memory/1516-142-0x0000000000000000-mapping.dmp

memory/652-143-0x0000000000000000-mapping.dmp

memory/1692-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/408-148-0x0000000000350000-0x0000000000A33000-memory.dmp

memory/408-149-0x0000000000350000-0x0000000000A33000-memory.dmp

memory/408-150-0x00000000003D42DE-mapping.dmp

memory/408-151-0x0000000000350000-0x0000000000A33000-memory.dmp

memory/1432-153-0x0000000000000000-mapping.dmp

memory/1380-154-0x0000000000000000-mapping.dmp

memory/748-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1084-159-0x0000000000350000-0x00000000008FC000-memory.dmp

memory/1084-160-0x0000000000350000-0x00000000008FC000-memory.dmp

memory/1084-161-0x00000000003D42DE-mapping.dmp

memory/1084-162-0x0000000000350000-0x00000000008FC000-memory.dmp

memory/792-164-0x0000000000000000-mapping.dmp

memory/816-165-0x0000000000000000-mapping.dmp

memory/1948-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2004-170-0x0000000000430000-0x0000000000AE1000-memory.dmp

memory/2004-171-0x0000000000430000-0x0000000000AE1000-memory.dmp

memory/2004-172-0x00000000004B42DE-mapping.dmp

memory/2004-173-0x0000000000430000-0x0000000000AE1000-memory.dmp

memory/1596-175-0x0000000000000000-mapping.dmp

memory/1600-176-0x0000000000000000-mapping.dmp

memory/1784-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2012-182-0x0000000000000000-mapping.dmp

memory/1760-183-0x0000000000310000-0x00000000009EE000-memory.dmp

memory/1760-181-0x0000000000310000-0x00000000009EE000-memory.dmp

memory/1760-184-0x00000000003942DE-mapping.dmp

memory/1192-187-0x0000000000000000-mapping.dmp

memory/1228-189-0x0000000000000000-mapping.dmp

memory/1736-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/2012-194-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2012-195-0x00000000001C1000-0x00000000001C2000-memory.dmp

memory/2012-196-0x00000000001C2000-0x00000000001C4000-memory.dmp

memory/1712-199-0x00000000003742DE-mapping.dmp

memory/1080-202-0x0000000000000000-mapping.dmp

memory/2016-203-0x0000000000000000-mapping.dmp

memory/1096-205-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba

memory/1528-210-0x00000000003842DE-mapping.dmp

memory/408-213-0x0000000000000000-mapping.dmp

memory/1440-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

memory/764-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

\Users\Admin\AppData\Roaming\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.dll

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

C:\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.DLL

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

\Users\Admin\AppData\Roaming\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Roaming\wshsdk\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

memory/1464-255-0x0000000000000000-mapping.dmp

memory/1432-257-0x0000000000000000-mapping.dmp

memory/1932-261-0x00000000003742DE-mapping.dmp

memory/1948-264-0x0000000000000000-mapping.dmp

memory/520-265-0x0000000000000000-mapping.dmp

memory/1260-266-0x0000000000000000-mapping.dmp

memory/1696-267-0x0000000000000000-mapping.dmp

memory/1112-269-0x0000000000000000-mapping.dmp

memory/304-271-0x0000000000000000-mapping.dmp

memory/512-272-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-01 09:33

Reported

2021-11-01 09:35

Platform

win10-en-20210920

Max time kernel

121s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW2-P0-6768-67.js

Signatures

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\NEW2-P0-6768-67.js

C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe

"C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe"

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

"C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif" etgir.ecs

Network

Country Destination Domain Proto
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp

Files

memory/508-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe

MD5 acd33bd14ede9c9b8c9976aeb71c7b84
SHA1 920376976654d43130b75be9e99e718f4439f055
SHA256 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706
SHA512 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd

C:\Users\Admin\AppData\Roaming\NEW2-P0-6768-67.exe

MD5 acd33bd14ede9c9b8c9976aeb71c7b84
SHA1 920376976654d43130b75be9e99e718f4439f055
SHA256 6e4a19b659a324b6aad034c4d19b8eaed38d0e5aff6259c06301187728afd706
SHA512 31ce2d1bc8cb08563c18c4098954550dc1be93a63541c8e76bebf1af2c1e70f4c792a8b6295c2a22d2c17a6144b793dc04b9d7570a84927ff72ffad63c97cfdd

memory/1168-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\18842794\sbwfgsqs.pif

MD5 e1f85da023a9f5784e38a37c16c777e6
SHA1 6623fe6bb1903311cfa96ebdcd25822bc4f221ef
SHA256 f4ca36a5e6c02acd6897ffdcaed69f1767ff05a99b2042b218171886b88af162
SHA512 28e0a435eb27ca8653a767383a8b16d13f9c0f37e93a4dc814da02ad21c2e85f2efd9df80915437a4768dbe5b107741ba9451754f479340dfc6db2e7b15d55ba