Analysis Overview
SHA256
fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16
Threat Level: Known bad
The file IMG-NEW-PO-LIST-993837665598576.exe was found to be: Known bad.
Malicious Activity Summary
WSHRAT payload
WSHRAT
Blocklisted process makes network request
Executes dropped EXE
Disables Task Manager via registry modification
Drops startup file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-16 08:41
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-16 08:41
Reported
2022-11-16 08:43
Platform
win10v2004-20220901-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4300 set thread context of 5052 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 4752 set thread context of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 4612 set thread context of 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 3548 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 1284 set thread context of 4836 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.132.193.104:443 | tcp | |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | newmoney2033.duckdns.org | udp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
Files
memory/1324-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe
| MD5 | 65c10353f3a1e04ba6544d0bdd067407 |
| SHA1 | c934cd3938f7d5f58355f62f16178a0f83be6e8e |
| SHA256 | 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec |
| SHA512 | e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8 |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/4300-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf
| MD5 | db84a61a890022c3d7c881d43591911c |
| SHA1 | 664dc6c1f53077284c8fc88ecc3ae889e01b070b |
| SHA256 | 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e |
| SHA512 | 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110 |
C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc
| MD5 | 4a5a98a7a692404cbd3d5793472f2d7c |
| SHA1 | 116d732a0e062a8b4e2d31e7df4a1a3203a2f660 |
| SHA256 | 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c |
| SHA512 | a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d |
C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker
| MD5 | fd775de8230221944054064964e45a81 |
| SHA1 | 9074aee9eee109f2cba14b41255077923c83e5a6 |
| SHA256 | a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd |
| SHA512 | 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3 |
memory/5052-143-0x0000000000000000-mapping.dmp
memory/5052-144-0x0000000000D00000-0x000000000127F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/5052-147-0x0000000000D00000-0x0000000000D8A000-memory.dmp
memory/4568-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/5084-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2044-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs
| MD5 | b9dd80c0a5131937d5bd1fc33d499d06 |
| SHA1 | 3158321e7b63e78b86dbd9226156717f9f3c246f |
| SHA256 | 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb |
| SHA512 | 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/4752-155-0x0000000000000000-mapping.dmp
memory/3444-157-0x0000000000000000-mapping.dmp
memory/3444-158-0x0000000000600000-0x0000000000C50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3444-162-0x0000000000600000-0x000000000068A000-memory.dmp
memory/3836-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/3336-165-0x0000000000000000-mapping.dmp
memory/4804-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/4612-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/5112-171-0x0000000000000000-mapping.dmp
memory/5112-172-0x0000000000500000-0x0000000000A2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/5112-175-0x0000000000500000-0x000000000058A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/1076-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4120-180-0x0000000000000000-mapping.dmp
memory/1488-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/3548-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2648-184-0x0000000000000000-mapping.dmp
memory/2648-185-0x0000000000980000-0x0000000000F02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/2648-188-0x0000000000980000-0x0000000000A0A000-memory.dmp
memory/2324-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4868-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/3140-193-0x0000000000000000-mapping.dmp
memory/1284-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4836-197-0x0000000000000000-mapping.dmp
memory/4836-198-0x0000000000960000-0x0000000001049000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/4836-201-0x0000000000960000-0x00000000009EA000-memory.dmp
memory/4032-202-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1324-204-0x0000000000000000-mapping.dmp
memory/396-206-0x0000000000000000-mapping.dmp
memory/2896-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-16 08:41
Reported
2022-11-16 08:43
Platform
win7-20220812-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1640 set thread context of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 1688 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 1424 set thread context of 320 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 568 set thread context of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | newmoney2033.duckdns.org | udp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | tcp |
Files
memory/1376-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
memory/1868-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe
| MD5 | 65c10353f3a1e04ba6544d0bdd067407 |
| SHA1 | c934cd3938f7d5f58355f62f16178a0f83be6e8e |
| SHA256 | 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec |
| SHA512 | e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8 |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1640-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf
| MD5 | db84a61a890022c3d7c881d43591911c |
| SHA1 | 664dc6c1f53077284c8fc88ecc3ae889e01b070b |
| SHA256 | 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e |
| SHA512 | 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110 |
C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc
| MD5 | 4a5a98a7a692404cbd3d5793472f2d7c |
| SHA1 | 116d732a0e062a8b4e2d31e7df4a1a3203a2f660 |
| SHA256 | 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c |
| SHA512 | a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d |
C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker
| MD5 | fd775de8230221944054064964e45a81 |
| SHA1 | 9074aee9eee109f2cba14b41255077923c83e5a6 |
| SHA256 | a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd |
| SHA512 | 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1804-67-0x0000000000400000-0x0000000000A49000-memory.dmp
memory/1804-69-0x0000000000400000-0x0000000000A49000-memory.dmp
memory/1804-70-0x00000000004842BE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1804-73-0x0000000000400000-0x0000000000A49000-memory.dmp
memory/1804-75-0x0000000000400000-0x0000000000A49000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1804-77-0x0000000000400000-0x000000000048A000-memory.dmp
memory/1252-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/636-81-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1760-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs
| MD5 | b9dd80c0a5131937d5bd1fc33d499d06 |
| SHA1 | 3158321e7b63e78b86dbd9226156717f9f3c246f |
| SHA256 | 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb |
| SHA512 | 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1688-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1632-94-0x00000000003D0000-0x0000000000AF2000-memory.dmp
memory/1632-96-0x00000000003D0000-0x0000000000AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1632-97-0x00000000004542BE-mapping.dmp
memory/1632-100-0x00000000003D0000-0x0000000000AF2000-memory.dmp
memory/1632-102-0x00000000003D0000-0x0000000000AF2000-memory.dmp
memory/1632-104-0x00000000003D0000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/820-105-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1704-108-0x0000000000000000-mapping.dmp
memory/1712-110-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1424-113-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | 5799231ee3dfc556a31f8b4e864dfcb9 |
| SHA1 | 2fc62184524f06e69e7357d40e71c6b950c64cb7 |
| SHA256 | 5b4f3a36e921cfe114a5e6c85944abcdb59f62039f1c60beffc37fe0c300d174 |
| SHA512 | 3ac0c579f95877afeaa1c530b4336342356d26db53a69da8055e8295a2011c43cf1a84203da357a542865a30bdc7486474a10696c3a496be6d837c1549504b77 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/320-118-0x0000000000360000-0x0000000000A5C000-memory.dmp
memory/320-120-0x0000000000360000-0x0000000000A5C000-memory.dmp
memory/320-121-0x00000000003E42BE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/320-124-0x0000000000360000-0x0000000000A5C000-memory.dmp
memory/320-126-0x0000000000360000-0x0000000000A5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/320-128-0x0000000000360000-0x00000000003EA000-memory.dmp
memory/1192-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/384-132-0x0000000000000000-mapping.dmp
memory/680-134-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/568-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1656-142-0x0000000000370000-0x00000000008C7000-memory.dmp
memory/1656-144-0x0000000000370000-0x00000000008C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1656-145-0x00000000003F42BE-mapping.dmp
memory/1656-148-0x0000000000370000-0x00000000008C7000-memory.dmp
memory/1656-150-0x0000000000370000-0x00000000008C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1656-152-0x0000000000370000-0x00000000003FA000-memory.dmp
memory/1096-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/616-156-0x0000000000000000-mapping.dmp
memory/1808-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/384-162-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |