Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-06-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Receipt.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Receipt.js
Resource
win10v2004-20220414-en
General
-
Target
Receipt.js
-
Size
90KB
-
MD5
e5b59195d361dcb825f4f8d37b2cb5ee
-
SHA1
68457e878a1b2a3302c605282e3c69c6438d07f5
-
SHA256
67b8f61733545f594194b178e41949e88ac493a5027eb9cd2b1000f5cba3922e
-
SHA512
23220d9ad19f79f94106bf250f87bb2a9ef8e78fb695b63c19e7327c60ae0bea3202396433a0d249e5bb73455d434ff7870c70903a4d2dc848d4e0b49e40dd73
Malware Config
Extracted
njrat
0.7d
HACKED JFK
103.149.13.61:4545
782e4e93b9158d4d448232ed139fc0db
-
reg_key
782e4e93b9158d4d448232ed139fc0db
-
splitter
|'|'|
Extracted
njrat
0.7d
HACKED... W2B
103.149.13.61:4545
f33599fc8954f4bf201159e017f34658
-
reg_key
f33599fc8954f4bf201159e017f34658
-
splitter
|'|'|
Signatures
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin UA
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
-
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)
-
Blocklisted process makes network request 64 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exeWScript.exeflow pid process 7 2032 wscript.exe 8 1992 wscript.exe 10 1992 wscript.exe 11 2032 wscript.exe 14 2032 wscript.exe 15 1992 wscript.exe 19 860 wscript.exe 20 1992 wscript.exe 21 2032 wscript.exe 23 860 wscript.exe 25 2032 wscript.exe 27 1992 wscript.exe 28 860 wscript.exe 30 1396 wscript.exe 31 860 wscript.exe 32 1396 wscript.exe 33 2032 wscript.exe 35 1992 wscript.exe 38 860 wscript.exe 39 1396 wscript.exe 40 1992 wscript.exe 42 860 wscript.exe 44 2032 wscript.exe 45 1396 wscript.exe 48 1896 WScript.exe 49 860 wscript.exe 50 1396 wscript.exe 51 2032 wscript.exe 53 1992 wscript.exe 55 860 wscript.exe 56 1396 wscript.exe 57 1896 WScript.exe 58 860 wscript.exe 59 1396 wscript.exe 61 1992 wscript.exe 63 2032 wscript.exe 66 860 wscript.exe 67 1896 WScript.exe 68 1396 wscript.exe 70 860 wscript.exe 72 1992 wscript.exe 74 2032 wscript.exe 75 1396 wscript.exe 76 1896 WScript.exe 78 860 wscript.exe 79 1396 wscript.exe 81 1992 wscript.exe 82 1896 WScript.exe 83 2032 wscript.exe 85 860 wscript.exe 86 1396 wscript.exe 87 860 wscript.exe 88 1896 WScript.exe 89 1396 wscript.exe 92 1992 wscript.exe 94 2032 wscript.exe 96 860 wscript.exe 98 1396 wscript.exe 99 1896 WScript.exe 100 860 wscript.exe 101 1992 wscript.exe 103 1396 wscript.exe 105 2032 wscript.exe 106 1896 WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exetmp3DDF.tmp.exepid process 1100 Server.exe 872 tmp3DDF.tmp.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 12 IoCs
Processes:
wscript.exeWScript.exewscript.exeServer.exeWScript.exeWScript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp9158.tmp.vbs wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp15F4.tmp.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iFNNVMKeTo.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iFNNVMKeTo.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\782e4e93b9158d4d448232ed139fc0db.exe Server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp9158.tmp.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpC757.tmp.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpC757.tmp.vbs wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp15F4.tmp.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fUpoWkUvrS.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fUpoWkUvrS.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\782e4e93b9158d4d448232ed139fc0db.exe Server.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 26 IoCs
Processes:
wscript.exeWScript.exewscript.exeWScript.exeWScript.exewscript.exeServer.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmpC757 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmpC757.tmp.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmpC757 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmpC757.tmp.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmpC757 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmpC757.tmp.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp15F4 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp15F4.tmp.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmpC757 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmpC757.tmp.vbs\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\iFNNVMKeTo.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\782e4e93b9158d4d448232ed139fc0db = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\782e4e93b9158d4d448232ed139fc0db = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp9158 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmp9158.tmp.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp9158 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmp9158.tmp.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\fUpoWkUvrS.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp9158 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmp9158.tmp.vbs\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp15F4 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp15F4.tmp.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp9158 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\tmp9158.tmp.vbs\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Server.exetmp3DDF.tmp.exepid process 1100 Server.exe 872 tmp3DDF.tmp.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Server.exedescription pid process Token: SeDebugPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe Token: 33 1100 Server.exe Token: SeIncBasePriorityPrivilege 1100 Server.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
wscript.exeServer.exeWScript.exeWScript.exedescription pid process target process PID 1932 wrote to memory of 1992 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 1992 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 1992 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 2032 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 2032 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 2032 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 1100 1932 wscript.exe Server.exe PID 1932 wrote to memory of 1100 1932 wscript.exe Server.exe PID 1932 wrote to memory of 1100 1932 wscript.exe Server.exe PID 1100 wrote to memory of 1420 1100 Server.exe netsh.exe PID 1100 wrote to memory of 1420 1100 Server.exe netsh.exe PID 1100 wrote to memory of 1420 1100 Server.exe netsh.exe PID 1100 wrote to memory of 1496 1100 Server.exe WScript.exe PID 1100 wrote to memory of 1496 1100 Server.exe WScript.exe PID 1100 wrote to memory of 1496 1100 Server.exe WScript.exe PID 1496 wrote to memory of 860 1496 WScript.exe wscript.exe PID 1496 wrote to memory of 860 1496 WScript.exe wscript.exe PID 1496 wrote to memory of 860 1496 WScript.exe wscript.exe PID 1100 wrote to memory of 1920 1100 Server.exe WScript.exe PID 1100 wrote to memory of 1920 1100 Server.exe WScript.exe PID 1100 wrote to memory of 1920 1100 Server.exe WScript.exe PID 1920 wrote to memory of 1396 1920 WScript.exe wscript.exe PID 1920 wrote to memory of 1396 1920 WScript.exe wscript.exe PID 1920 wrote to memory of 1396 1920 WScript.exe wscript.exe PID 1100 wrote to memory of 1896 1100 Server.exe WScript.exe PID 1100 wrote to memory of 1896 1100 Server.exe WScript.exe PID 1100 wrote to memory of 1896 1100 Server.exe WScript.exe PID 1100 wrote to memory of 872 1100 Server.exe tmp3DDF.tmp.exe PID 1100 wrote to memory of 872 1100 Server.exe tmp3DDF.tmp.exe PID 1100 wrote to memory of 872 1100 Server.exe tmp3DDF.tmp.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Receipt.js1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\fUpoWkUvrS.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1992 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\iFNNVMKeTo.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1420 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9158.tmp.vbs"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tmp9158.tmp.vbs"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:860 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmpC757.tmp.vbs"3⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tmpC757.tmp.vbs"4⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1396 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp15F4.tmp.vbs"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:872
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD57398714aa7e951484c0230bd1919a4d7
SHA1ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac
SHA256d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2
SHA512391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
25KB
MD57398714aa7e951484c0230bd1919a4d7
SHA1ba27dc586f7de6d5bc21e54a8ba7b02c980b23ac
SHA256d6355ea09274149b47d0fab0edc18d2627a1866557ac3a4cce6f4f15b586b9c2
SHA512391249bdee93f2d2bea6c2c46f791d9533de73c79804a11ac18959fbf3eaf87483988c4fd1310187bf6a8afe3757c302682025b6295380ea0dc6b383693719cf
-
C:\Users\Admin\AppData\Local\Temp\tmp15F4.tmp.vbsFilesize
24KB
MD5e5c1dda5ea4a32f330a5c18582e151f9
SHA1b1330ee206fc1eab7baf4002080f4b66ff047696
SHA2563c6ed7bec65ed875a7c4df525b1bb9f4c7dd63727816c02ba41d0571fe48aad2
SHA5120012d3189984839beba89b15460104462f62e1331181ddf05a6ad1cfb6593812bb497cca11eb539d13cd716028298236eb0eda9afa837a6b1a20b400822a4459
-
C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exeFilesize
25KB
MD513a393f4abc0575a0c3661a2058c6a92
SHA1c35e88355d846094a9b9aeaef3822725cd65c898
SHA256685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4
SHA512f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6
-
C:\Users\Admin\AppData\Local\Temp\tmp3DDF.tmp.exeFilesize
25KB
MD513a393f4abc0575a0c3661a2058c6a92
SHA1c35e88355d846094a9b9aeaef3822725cd65c898
SHA256685deaa148f2ded23bfac7a5bced8399f438b6825c48fa3c4d302470d4c23ad4
SHA512f33ef8ac7264a64982873a9dc7defff8c161376c59844047cf117b64d35c1d46c708e6fa03e7b2f999233816892ea6bad62f09a81112247502cf611904709ba6
-
C:\Users\Admin\AppData\Local\Temp\tmp9158.tmp.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
C:\Users\Admin\AppData\Local\Temp\tmpC757.tmp.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp9158.tmp.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmpC757.tmp.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
C:\Users\Admin\AppData\Roaming\fUpoWkUvrS.jsFilesize
5KB
MD552aad348d257b926fa2d4f1a82cf1b57
SHA1e7abda58f3159c4fadff80d82134af85368657ad
SHA256371579c4cd2bb1df7ffde8cf0ea994971abd4223136e2e298da1bac30f143fe1
SHA512999c8b81462f0b4cb6d5ec379090fc45dd5403a9cdf3207e5eba1d415baf4872b7070ee44bb04cba3e87b93ef5f8613a4d479e82c5f2c2669200f618977edc49
-
C:\Users\Admin\AppData\Roaming\iFNNVMKeTo.jsFilesize
5KB
MD557a4f324e829737f1e47259fa85f5c5d
SHA16815e1002cb458b2bfbd30e2f4b40a471fea70ab
SHA2566f8fb242f23dd921cf19f13ea989ee438c573c6cefc56c59cbec7cfcc9a56393
SHA512ddc62319afd4f7d03abc5c2a090468e3154f112b06e890aefcf1de8f6154e53d4cf71a895e40bbe805c893fd7f598108355106196fbb59c36e68ed52f4d847ed
-
C:\Users\Admin\AppData\Roaming\tmp9158.tmp.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
C:\Users\Admin\AppData\Roaming\tmpC757.tmp.vbsFilesize
13KB
MD53c5846a19b95e2441a049c7c2e8eeb14
SHA19d30716b1eef3995228ac87cf800d2acdec9e0fc
SHA256e72818e8c8076b6d0d4c10604f4c0681148c7e17ca0099fe5bf17c0dd27b7cd1
SHA51232e8f1e0e45f5cfc733de865fdbc3b69d2e21183a67d06e270dbbeb2d701db10d62b4048f9ece0bbff95d96a517030f5a51d1883a32d189a6d9554f001f40476
-
memory/860-71-0x0000000000000000-mapping.dmp
-
memory/872-91-0x0000000000FE0000-0x0000000000FEC000-memory.dmpFilesize
48KB
-
memory/872-88-0x0000000000000000-mapping.dmp
-
memory/1100-82-0x000000001ABF0000-0x000000001AC54000-memory.dmpFilesize
400KB
-
memory/1100-59-0x0000000000000000-mapping.dmp
-
memory/1100-84-0x000000001BD70000-0x000000001BDCE000-memory.dmpFilesize
376KB
-
memory/1100-87-0x000000001BF50000-0x000000001BFD0000-memory.dmpFilesize
512KB
-
memory/1100-64-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/1396-78-0x0000000000000000-mapping.dmp
-
memory/1420-66-0x0000000000000000-mapping.dmp
-
memory/1496-68-0x0000000000000000-mapping.dmp
-
memory/1896-83-0x0000000000000000-mapping.dmp
-
memory/1920-75-0x0000000000000000-mapping.dmp
-
memory/1932-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/1992-55-0x0000000000000000-mapping.dmp
-
memory/2032-56-0x0000000000000000-mapping.dmp