Analysis Overview
SHA256
93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b
Threat Level: Known bad
The file 93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Checks processor information in registry
Script User-Agent
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-05 12:44
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-05 12:44
Reported
2022-02-05 12:47
Platform
win7-en-20211208
Max time kernel
143s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-05 12:44
Reported
2022-02-05 12:47
Platform
win10v2004-en-20220112
Max time kernel
134s
Max time network
159s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat | C:\Windows\System32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\MusNotifyIcon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\MusNotifyIcon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.191429" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4060" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887151185295388" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization | C:\Windows\System32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" | C:\Windows\System32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\93c0dcd6c6420eb0d4e4dedcb7aa04a16710e144126eda8008ba19d1eb98da0b.zip
C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.17.97:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| US | 52.184.216.226:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| NL | 20.73.194.208:443 | settings-win.data.microsoft.com | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-02-05 12:44
Reported
2022-02-05 12:47
Platform
win7-en-20211208
Max time kernel
150s
Max time network
146s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\system32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|C435AF30|VQVVOAJK|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 1372 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2016 wrote to memory of 1372 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2016 wrote to memory of 1372 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2016 wrote to memory of 1544 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2016 wrote to memory of 1544 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 2016 wrote to memory of 1544 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1544 wrote to memory of 1280 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1544 wrote to memory of 1280 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1544 wrote to memory of 1280 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder101299.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder101299.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.23.98.190:80 | pastebin.com | tcp |
| US | 104.23.98.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pluginsrv2.duckdns.org | udp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp |
Files
memory/2016-53-0x000007FEFB591000-0x000007FEFB593000-memory.dmp
C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js
| MD5 | 92174ec0aadd62600767793076bcb99f |
| SHA1 | f7348a4c0c746d5224a775eb643d4bcd29cec049 |
| SHA256 | ba5bf590d92abb7192bae9c006204d159ec670c7747322de1a1df6336bb98937 |
| SHA512 | 9f74a0af54c8ac0d0674ac52d9ee500373d89f2000f25bebc041defed3623e6441800b6f1e381048b4a000624b962459a45d9dd62bdd9c11fedd6ad8e62c660e |
C:\Users\Admin\AppData\Roaming\New0rder101299.js
| MD5 | 85283ce784b3405eb5dc4333c40047b8 |
| SHA1 | 9f130b7c4c09369e12b9c6994fea2d63238dd2b5 |
| SHA256 | 6fe23db1a528a2dc2f437cb5529eefe1f7ebde45116d2d6b18dc5535cc2e6d29 |
| SHA512 | 30b5a6265eb5a357e7444f40b041944c96c9c2abd8ca06724b75d65e9a18f2968b7dc69d080eb2b27364c06fd9ebac9ba9b76293963f1662c1a5a8a371e55907 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\34ZL0Q4Z\7R8hcpCS[1]
| MD5 | fda44910deb1a460be4ac5d56d61d837 |
| SHA1 | f6d0c643351580307b2eaa6a7560e76965496bc7 |
| SHA256 | 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9 |
| SHA512 | 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1VSJJWE3\7R8hcpCS[1].txt
| MD5 | 2008964ef2e2c06fb98a35262700d712 |
| SHA1 | 7660a6d1246543385c390fb29b0980ff850519fb |
| SHA256 | 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b |
| SHA512 | a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js
| MD5 | 85283ce784b3405eb5dc4333c40047b8 |
| SHA1 | 9f130b7c4c09369e12b9c6994fea2d63238dd2b5 |
| SHA256 | 6fe23db1a528a2dc2f437cb5529eefe1f7ebde45116d2d6b18dc5535cc2e6d29 |
| SHA512 | 30b5a6265eb5a357e7444f40b041944c96c9c2abd8ca06724b75d65e9a18f2968b7dc69d080eb2b27364c06fd9ebac9ba9b76293963f1662c1a5a8a371e55907 |
Analysis: behavioral4
Detonation Overview
Submitted
2022-02-05 12:44
Reported
2022-02-05 12:47
Platform
win10v2004-en-20220113
Max time kernel
154s
Max time network
160s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSiNMwxGAI.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RSiNMwxGAI = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\RSiNMwxGAI.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\New0rder101299 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\New0rder101299.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/2/2022|JavaScript-v1.6 | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4736 wrote to memory of 5060 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4736 wrote to memory of 5060 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4736 wrote to memory of 4424 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4736 wrote to memory of 4424 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4424 wrote to memory of 2380 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4424 wrote to memory of 2380 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\New0rder101299.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\New0rder101299.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.23.99.190:80 | pastebin.com | tcp |
| US | 104.23.99.190:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | pluginsrv2.duckdns.org | udp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 8.8.8.8:53 | settings-win.data.microsoft.com | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| BE | 67.27.153.254:80 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| BE | 67.27.153.254:80 | tcp | |
| BE | 67.27.153.254:80 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 159.65.219.192:7777 | tcp | |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
| US | 192.169.69.25:8000 | pluginsrv2.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Roaming\RSiNMwxGAI.js
| MD5 | 92174ec0aadd62600767793076bcb99f |
| SHA1 | f7348a4c0c746d5224a775eb643d4bcd29cec049 |
| SHA256 | ba5bf590d92abb7192bae9c006204d159ec670c7747322de1a1df6336bb98937 |
| SHA512 | 9f74a0af54c8ac0d0674ac52d9ee500373d89f2000f25bebc041defed3623e6441800b6f1e381048b4a000624b962459a45d9dd62bdd9c11fedd6ad8e62c660e |
C:\Users\Admin\AppData\Roaming\New0rder101299.js
| MD5 | 85283ce784b3405eb5dc4333c40047b8 |
| SHA1 | 9f130b7c4c09369e12b9c6994fea2d63238dd2b5 |
| SHA256 | 6fe23db1a528a2dc2f437cb5529eefe1f7ebde45116d2d6b18dc5535cc2e6d29 |
| SHA512 | 30b5a6265eb5a357e7444f40b041944c96c9c2abd8ca06724b75d65e9a18f2968b7dc69d080eb2b27364c06fd9ebac9ba9b76293963f1662c1a5a8a371e55907 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K6H59MEI\7R8hcpCS[1]
| MD5 | fda44910deb1a460be4ac5d56d61d837 |
| SHA1 | f6d0c643351580307b2eaa6a7560e76965496bc7 |
| SHA256 | 933b971c6388d594a23fa1559825db5bec8ade2db1240aa8fc9d0c684949e8c9 |
| SHA512 | 57dda9aa7c29f960cd7948a4e4567844d3289fa729e9e388e7f4edcbdf16bf6a94536598b4f9ff8942849f1f96bd3c00bc24a75e748a36fbf2a145f63bf904c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMK7HR9K\7R8hcpCS[1].txt
| MD5 | 2008964ef2e2c06fb98a35262700d712 |
| SHA1 | 7660a6d1246543385c390fb29b0980ff850519fb |
| SHA256 | 396af765f913e09066e3470e7c3d4e0c678e2cf453445029dab2da1973a1db5b |
| SHA512 | a1ed490ee38dd77fe80dd8da1000fe38a374a210ae5b52d69814aa3b98b1ac6bd34a0ee96e29eafbc2f83b45c6f75fd549c5fe8fb0de6b068eb3e31cd749fb69 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New0rder101299.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2016-411-0x0000020D18DC0000-0x0000020D18DD0000-memory.dmp
memory/2016-418-0x0000020D1BB20000-0x0000020D1BB24000-memory.dmp