Analysis Overview
SHA256
da581bea8917ae4b052e9978b8264b3257e06d80b2973c29e80cdf216a8640c4
Threat Level: Known bad
The file FCR22001306.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Vjw0rm
Nirsoft
NirSoft MailPassView
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Accesses Microsoft Outlook accounts
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Script User-Agent
Kills process with taskkill
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 08:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 08:16
Reported
2022-11-01 08:18
Platform
win7-20220901-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Vjw0rm
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js | C:\Windows\System32\wscript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | egodds.longmusic.com | udp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
Files
memory/1168-54-0x000007FEFBBF1000-0x000007FEFBBF3000-memory.dmp
memory/1360-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js
| MD5 | 18aa18aca1d624556d87fd1c3c8dfc4a |
| SHA1 | 45509a074cd5f5d11d507a7fe0bcb733f874e90d |
| SHA256 | 27765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036 |
| SHA512 | 80e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a |
memory/1460-58-0x0000000000000000-mapping.dmp
memory/1460-60-0x000007FEF3840000-0x000007FEF4263000-memory.dmp
memory/1460-62-0x00000000027D4000-0x00000000027D7000-memory.dmp
memory/1460-61-0x000007FEF2650000-0x000007FEF31AD000-memory.dmp
memory/1460-63-0x000000001B720000-0x000000001BA1F000-memory.dmp
memory/1460-64-0x00000000027D4000-0x00000000027D7000-memory.dmp
memory/1460-65-0x00000000027DB000-0x00000000027FA000-memory.dmp
memory/1964-66-0x0000000000000000-mapping.dmp
memory/1432-67-0x0000000000000000-mapping.dmp
memory/1948-68-0x0000000000000000-mapping.dmp
memory/764-69-0x0000000000000000-mapping.dmp
memory/1368-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
memory/1368-72-0x00000000760E1000-0x00000000760E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.cfg
| MD5 | 70e69155b8080b5db35191ab8426d084 |
| SHA1 | 383deaaee90ce71b28b0a6e22124e77aa1cccf8b |
| SHA256 | 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe |
| SHA512 | c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342 |
memory/748-74-0x0000000000000000-mapping.dmp
memory/868-75-0x0000000000000000-mapping.dmp
memory/2008-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
memory/1692-79-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-01 08:16
Reported
2022-11-01 08:18
Platform
win10v2004-20220812-en
Max time kernel
71s
Max time network
152s
Command Line
Signatures
Vjw0rm
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FCR22001306.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lzwNNcWAsq.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FCR22001306 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FCR22001306.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1128 wrote to memory of 4380 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1128 wrote to memory of 4380 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\FCR22001306.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | egodds.longmusic.com | udp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| GB | 51.132.193.104:443 | tcp | |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
| NG | 41.217.12.189:5465 | javaautorun.duia.ro | tcp |
| JP | 172.93.220.135:2084 | egodds.longmusic.com | tcp |
Files
memory/4380-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\lzwNNcWAsq.js
| MD5 | 18aa18aca1d624556d87fd1c3c8dfc4a |
| SHA1 | 45509a074cd5f5d11d507a7fe0bcb733f874e90d |
| SHA256 | 27765e27d897d45fb5cc093197a65545ed4a120130e12cc88e70f41e68788036 |
| SHA512 | 80e7fcc1551290772a960b76445999f85f5cbef24cf2b860c7d8e0e7ea1a2a284e8b120a203947c2e8f2cdff13193095c00922e6f7e7cc94069e8846bad4554a |
memory/2336-134-0x0000000000000000-mapping.dmp
memory/2336-135-0x000002147B220000-0x000002147B242000-memory.dmp
memory/2336-136-0x000002147B250000-0x000002147B25A000-memory.dmp
memory/2336-137-0x00007FFAD8B90000-0x00007FFAD9651000-memory.dmp
memory/2336-138-0x000002147CB80000-0x000002147CB88000-memory.dmp
memory/2336-139-0x00007FFAD8B90000-0x00007FFAD9651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp.txt
| MD5 | c416c12d1b2b1da8c8655e393b544362 |
| SHA1 | fb1a43cd8e1c556c2d25f361f42a21293c29e447 |
| SHA256 | 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046 |
| SHA512 | cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c |
memory/3196-141-0x0000000000000000-mapping.dmp
memory/4952-142-0x0000000000000000-mapping.dmp
memory/1680-144-0x0000000000000000-mapping.dmp
memory/732-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
memory/4024-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
C:\Users\Admin\AppData\Local\Temp\cmdc.cfg
| MD5 | 70e69155b8080b5db35191ab8426d084 |
| SHA1 | 383deaaee90ce71b28b0a6e22124e77aa1cccf8b |
| SHA256 | 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe |
| SHA512 | c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342 |
memory/3236-149-0x0000000000000000-mapping.dmp