Malware Analysis Report

2024-10-24 16:30

Sample ID 220415-tkc9gahadp
Target d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f
SHA256 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f
Tags
hiverat persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f

Threat Level: Known bad

The file d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f was found to be: Known bad.

Malicious Activity Summary

hiverat persistence rat stealer

HiveRAT

HiveRAT Payload

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 16:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 16:06

Reported

2022-04-15 18:42

Platform

win7-20220414-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 656 set thread context of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 656 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 892 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 892 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 892 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 892 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 1580 wrote to memory of 1896 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1580 wrote to memory of 1896 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 1580 wrote to memory of 1896 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe

"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB7A.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"

Network

Country Destination Domain Proto
US 172.111.134.17:2807 tcp
US 172.111.134.17:2807 tcp
US 172.111.134.17:2807 tcp

Files

memory/656-54-0x0000000010120000-0x00000000101C4000-memory.dmp

memory/656-55-0x0000000000620000-0x000000000063C000-memory.dmp

memory/656-56-0x0000000008150000-0x00000000081F4000-memory.dmp

memory/1804-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCB7A.tmp

MD5 8ad59fa1cad4806aec0ae194207cf3b4
SHA1 04926cbf019cdfe70ff25771a050bdfe9f52ca9c
SHA256 8b172aac84138d93e8e9b07fb8b39ddf4aad43cf3f428b9df6facbde1d63f5a1
SHA512 c571806603ab473f3c17def6031384c0c6e58b60fa048abff489811d0047582f96752145c00916c50624d4aa5fa41c0f34b121714e97b03bf164a5a7a604086d

memory/892-59-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-60-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-65-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-66-0x000000000044CB1E-mapping.dmp

memory/892-68-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-74-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-75-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-79-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-82-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/892-84-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2040-90-0x0000000000000000-mapping.dmp

memory/2040-91-0x00000000755A1000-0x00000000755A3000-memory.dmp

memory/2040-92-0x000000006EA91000-0x000000006EA93000-memory.dmp

memory/1580-93-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

C:\Users\Admin\AppData\Local\Execution.vbs

MD5 6fbcefb8b324ce783f73b19a810f1297
SHA1 34280ec0bb93b843b02dd44847d3977aed67b99a
SHA256 b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378
SHA512 00cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0

memory/1896-95-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 16:06

Reported

2022-04-15 18:42

Platform

win10v2004-20220414-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe" C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1756 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3360 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 3360 wrote to memory of 3704 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\explorer.exe
PID 4128 wrote to memory of 4792 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe
PID 4128 wrote to memory of 4792 N/A C:\Windows\explorer.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe

"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"

Network

Country Destination Domain Proto
NL 88.221.144.179:80 tcp
NL 88.221.144.179:80 tcp
US 13.89.178.26:443 tcp
US 172.111.134.17:2807 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 172.111.134.17:2807 tcp
US 172.111.134.17:2807 tcp
US 172.111.134.17:2807 tcp
US 172.111.134.17:2807 tcp

Files

memory/1756-130-0x0000000000E60000-0x0000000000F04000-memory.dmp

memory/1756-131-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/1756-132-0x00000000058E0000-0x0000000005972000-memory.dmp

memory/1756-133-0x00000000058B0000-0x00000000058BA000-memory.dmp

memory/1756-134-0x00000000096A0000-0x0000000009BCC000-memory.dmp

memory/1756-135-0x0000000009E20000-0x0000000009EBC000-memory.dmp

memory/2684-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp

MD5 3de8c14ec96ec303edb27a3d7621fb7c
SHA1 fe5e3b9dce8e9642f18a889f907ffd9b2b96457d
SHA256 d1ca0e5dbe3e15164cf809c0822d535a2e02cbd7db620fe8d4970f6b5e24553b
SHA512 ee1c9714f7a222ab3bccac737f8416ffb73e925855e5c204e248a8dc6db0141b50115276e51116b7d481e9bb1eaa206ebed5dbd0249ba3bf0f3bd2aedd559049

memory/3360-138-0x0000000000000000-mapping.dmp

memory/3360-139-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-141-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-143-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-145-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-146-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-150-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-153-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-154-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-155-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3360-161-0x0000000004E50000-0x0000000004EB6000-memory.dmp

memory/3704-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Execution.vbs

MD5 6fbcefb8b324ce783f73b19a810f1297
SHA1 34280ec0bb93b843b02dd44847d3977aed67b99a
SHA256 b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378
SHA512 00cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0

memory/4792-164-0x0000000000000000-mapping.dmp