Malware Analysis Report

2025-01-18 12:23

Sample ID 221116-klfasadg3v
Target IMG-NEW-PO-LIST-993837665598576.exe
SHA256 fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16
Tags
wshrat evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16

Threat Level: Known bad

The file IMG-NEW-PO-LIST-993837665598576.exe was found to be: Known bad.

Malicious Activity Summary

wshrat evasion persistence trojan

WSHRAT payload

WSHRAT

Blocklisted process makes network request

Executes dropped EXE

Disables Task Manager via registry modification

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 08:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 08:41

Reported

2022-11-16 08:43

Platform

win10v2004-20220901-en

Max time kernel

142s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 4836 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 4836 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 1324 wrote to memory of 4300 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1324 wrote to memory of 4300 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1324 wrote to memory of 4300 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4300 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4300 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4300 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4300 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4300 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5052 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 5052 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 5052 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 4568 wrote to memory of 5084 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4568 wrote to memory of 5084 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4568 wrote to memory of 5084 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4300 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4300 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4300 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 2044 wrote to memory of 4752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 2044 wrote to memory of 4752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 2044 wrote to memory of 4752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4752 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3444 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3444 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3444 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3836 wrote to memory of 3336 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 3836 wrote to memory of 3336 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 3836 wrote to memory of 3336 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4752 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4752 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4752 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4804 wrote to memory of 4612 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4804 wrote to memory of 4612 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4804 wrote to memory of 4612 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4612 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4612 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4612 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4612 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4612 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 5112 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 5112 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 5112 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1076 wrote to memory of 1488 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1076 wrote to memory of 1488 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1076 wrote to memory of 1488 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4612 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4612 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4612 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4120 wrote to memory of 3548 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4120 wrote to memory of 3548 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4120 wrote to memory of 3548 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 3548 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3548 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3548 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3548 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3548 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2648 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 2648 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 51.132.193.104:443 tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 newmoney2033.duckdns.org udp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp

Files

memory/1324-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe

MD5 65c10353f3a1e04ba6544d0bdd067407
SHA1 c934cd3938f7d5f58355f62f16178a0f83be6e8e
SHA256 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec
SHA512 e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/4300-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf

MD5 db84a61a890022c3d7c881d43591911c
SHA1 664dc6c1f53077284c8fc88ecc3ae889e01b070b
SHA256 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e
SHA512 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110

C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc

MD5 4a5a98a7a692404cbd3d5793472f2d7c
SHA1 116d732a0e062a8b4e2d31e7df4a1a3203a2f660
SHA256 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c
SHA512 a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d

C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker

MD5 fd775de8230221944054064964e45a81
SHA1 9074aee9eee109f2cba14b41255077923c83e5a6
SHA256 a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd
SHA512 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3

memory/5052-143-0x0000000000000000-mapping.dmp

memory/5052-144-0x0000000000D00000-0x000000000127F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/5052-147-0x0000000000D00000-0x0000000000D8A000-memory.dmp

memory/4568-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/5084-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2044-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs

MD5 b9dd80c0a5131937d5bd1fc33d499d06
SHA1 3158321e7b63e78b86dbd9226156717f9f3c246f
SHA256 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb
SHA512 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/4752-155-0x0000000000000000-mapping.dmp

memory/3444-157-0x0000000000000000-mapping.dmp

memory/3444-158-0x0000000000600000-0x0000000000C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3444-162-0x0000000000600000-0x000000000068A000-memory.dmp

memory/3836-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/3336-165-0x0000000000000000-mapping.dmp

memory/4804-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/4612-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/5112-171-0x0000000000000000-mapping.dmp

memory/5112-172-0x0000000000500000-0x0000000000A2B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/5112-175-0x0000000000500000-0x000000000058A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/1076-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4120-180-0x0000000000000000-mapping.dmp

memory/1488-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/3548-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2648-184-0x0000000000000000-mapping.dmp

memory/2648-185-0x0000000000980000-0x0000000000F02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2648-188-0x0000000000980000-0x0000000000A0A000-memory.dmp

memory/2324-189-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4868-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/3140-193-0x0000000000000000-mapping.dmp

memory/1284-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4836-197-0x0000000000000000-mapping.dmp

memory/4836-198-0x0000000000960000-0x0000000001049000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4836-201-0x0000000000960000-0x00000000009EA000-memory.dmp

memory/4032-202-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1324-204-0x0000000000000000-mapping.dmp

memory/396-206-0x0000000000000000-mapping.dmp

memory/2896-207-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 08:41

Reported

2022-11-16 08:43

Platform

win7-20220812-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 1376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 1376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 1376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 1868 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1868 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1868 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1868 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1640 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1804 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1804 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1804 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1804 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1252 wrote to memory of 636 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1252 wrote to memory of 636 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1252 wrote to memory of 636 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1252 wrote to memory of 636 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1640 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1760 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1760 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1760 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1760 wrote to memory of 1688 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1688 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1632 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1632 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1632 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1632 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 820 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 820 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 820 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 820 wrote to memory of 1704 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1688 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1712 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1712 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1712 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1712 wrote to memory of 1424 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1424 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1424 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1424 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1424 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1424 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1424 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 newmoney2033.duckdns.org udp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 tcp

Files

memory/1376-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1868-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe

MD5 65c10353f3a1e04ba6544d0bdd067407
SHA1 c934cd3938f7d5f58355f62f16178a0f83be6e8e
SHA256 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec
SHA512 e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1640-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf

MD5 db84a61a890022c3d7c881d43591911c
SHA1 664dc6c1f53077284c8fc88ecc3ae889e01b070b
SHA256 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e
SHA512 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110

C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc

MD5 4a5a98a7a692404cbd3d5793472f2d7c
SHA1 116d732a0e062a8b4e2d31e7df4a1a3203a2f660
SHA256 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c
SHA512 a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d

C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker

MD5 fd775de8230221944054064964e45a81
SHA1 9074aee9eee109f2cba14b41255077923c83e5a6
SHA256 a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd
SHA512 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1804-67-0x0000000000400000-0x0000000000A49000-memory.dmp

memory/1804-69-0x0000000000400000-0x0000000000A49000-memory.dmp

memory/1804-70-0x00000000004842BE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1804-73-0x0000000000400000-0x0000000000A49000-memory.dmp

memory/1804-75-0x0000000000400000-0x0000000000A49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1804-77-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1252-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/636-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1760-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs

MD5 b9dd80c0a5131937d5bd1fc33d499d06
SHA1 3158321e7b63e78b86dbd9226156717f9f3c246f
SHA256 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb
SHA512 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1688-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1632-94-0x00000000003D0000-0x0000000000AF2000-memory.dmp

memory/1632-96-0x00000000003D0000-0x0000000000AF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1632-97-0x00000000004542BE-mapping.dmp

memory/1632-100-0x00000000003D0000-0x0000000000AF2000-memory.dmp

memory/1632-102-0x00000000003D0000-0x0000000000AF2000-memory.dmp

memory/1632-104-0x00000000003D0000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/820-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1704-108-0x0000000000000000-mapping.dmp

memory/1712-110-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1424-113-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 5799231ee3dfc556a31f8b4e864dfcb9
SHA1 2fc62184524f06e69e7357d40e71c6b950c64cb7
SHA256 5b4f3a36e921cfe114a5e6c85944abcdb59f62039f1c60beffc37fe0c300d174
SHA512 3ac0c579f95877afeaa1c530b4336342356d26db53a69da8055e8295a2011c43cf1a84203da357a542865a30bdc7486474a10696c3a496be6d837c1549504b77

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/320-118-0x0000000000360000-0x0000000000A5C000-memory.dmp

memory/320-120-0x0000000000360000-0x0000000000A5C000-memory.dmp

memory/320-121-0x00000000003E42BE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/320-124-0x0000000000360000-0x0000000000A5C000-memory.dmp

memory/320-126-0x0000000000360000-0x0000000000A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/320-128-0x0000000000360000-0x00000000003EA000-memory.dmp

memory/1192-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/384-132-0x0000000000000000-mapping.dmp

memory/680-134-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/568-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1656-142-0x0000000000370000-0x00000000008C7000-memory.dmp

memory/1656-144-0x0000000000370000-0x00000000008C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1656-145-0x00000000003F42BE-mapping.dmp

memory/1656-148-0x0000000000370000-0x00000000008C7000-memory.dmp

memory/1656-150-0x0000000000370000-0x00000000008C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1656-152-0x0000000000370000-0x00000000003FA000-memory.dmp

memory/1096-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/616-156-0x0000000000000000-mapping.dmp

memory/1808-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/384-162-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25