Malware Analysis Report

2025-01-18 12:20

Sample ID 221116-kmp7dadg4s
Target IMG-NEW-PO-LIST-993837665598576.exe
SHA256 fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16
Tags
wshrat evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16

Threat Level: Known bad

The file IMG-NEW-PO-LIST-993837665598576.exe was found to be: Known bad.

Malicious Activity Summary

wshrat evasion persistence trojan

WSHRAT payload

WSHRAT

Blocklisted process makes network request

Executes dropped EXE

Disables Task Manager via registry modification

Loads dropped DLL

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 08:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 08:43

Reported

2022-11-16 08:45

Platform

win7-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 740 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 740 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 740 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 740 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 1124 wrote to memory of 1492 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1124 wrote to memory of 1492 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1124 wrote to memory of 1492 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1124 wrote to memory of 1492 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1492 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1704 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1704 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1704 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1704 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1616 wrote to memory of 1272 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1616 wrote to memory of 1272 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1616 wrote to memory of 1272 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1616 wrote to memory of 1272 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1492 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1492 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1492 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1492 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1460 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1460 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1460 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1460 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1416 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1472 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1472 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1472 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1472 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1416 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 1364 wrote to memory of 396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1364 wrote to memory of 396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1364 wrote to memory of 396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 1364 wrote to memory of 396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 396 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 396 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 396 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 396 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 396 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 396 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 newmoney2033.duckdns.org udp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 tcp

Files

memory/740-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

memory/1124-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe

MD5 65c10353f3a1e04ba6544d0bdd067407
SHA1 c934cd3938f7d5f58355f62f16178a0f83be6e8e
SHA256 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec
SHA512 e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1492-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf

MD5 db84a61a890022c3d7c881d43591911c
SHA1 664dc6c1f53077284c8fc88ecc3ae889e01b070b
SHA256 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e
SHA512 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110

C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc

MD5 4a5a98a7a692404cbd3d5793472f2d7c
SHA1 116d732a0e062a8b4e2d31e7df4a1a3203a2f660
SHA256 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c
SHA512 a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d

C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker

MD5 fd775de8230221944054064964e45a81
SHA1 9074aee9eee109f2cba14b41255077923c83e5a6
SHA256 a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd
SHA512 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1704-67-0x00000000003C0000-0x0000000000867000-memory.dmp

memory/1704-69-0x00000000003C0000-0x0000000000867000-memory.dmp

memory/1704-70-0x00000000004442BE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1704-73-0x00000000003C0000-0x0000000000867000-memory.dmp

memory/1704-75-0x00000000003C0000-0x0000000000867000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1704-77-0x00000000003C0000-0x000000000044A000-memory.dmp

memory/1616-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1272-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1460-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs

MD5 b9dd80c0a5131937d5bd1fc33d499d06
SHA1 3158321e7b63e78b86dbd9226156717f9f3c246f
SHA256 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb
SHA512 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1416-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1472-93-0x0000000000380000-0x000000000084C000-memory.dmp

memory/1472-95-0x0000000000380000-0x000000000084C000-memory.dmp

memory/1472-96-0x00000000004042BE-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1472-99-0x0000000000380000-0x000000000084C000-memory.dmp

memory/1472-101-0x0000000000380000-0x000000000084C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1472-103-0x0000000000380000-0x000000000040A000-memory.dmp

memory/1308-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1656-107-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1364-109-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/396-113-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/960-118-0x00000000004C0000-0x0000000000BAC000-memory.dmp

memory/960-120-0x00000000004C0000-0x0000000000BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/960-121-0x00000000005442BE-mapping.dmp

memory/960-124-0x00000000004C0000-0x0000000000BAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/960-128-0x00000000004C0000-0x000000000054A000-memory.dmp

memory/960-126-0x00000000004C0000-0x0000000000BAC000-memory.dmp

memory/2008-129-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1500-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1628-134-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1712-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1140-142-0x00000000003D0000-0x000000000089D000-memory.dmp

memory/1140-144-0x00000000003D0000-0x000000000089D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1140-145-0x00000000004542BE-mapping.dmp

memory/1140-148-0x00000000003D0000-0x000000000089D000-memory.dmp

memory/1140-150-0x00000000003D0000-0x000000000089D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1140-152-0x00000000003D0000-0x000000000045A000-memory.dmp

memory/1476-153-0x0000000000000000-mapping.dmp

memory/1756-154-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1720-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 08:43

Reported

2022-11-16 08:45

Platform

win10v2004-20221111-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

Signatures

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 4860 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 4860 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe C:\Windows\SysWOW64\WScript.exe
PID 4500 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4500 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4500 wrote to memory of 4224 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4224 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3144 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3144 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3144 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1388 wrote to memory of 3380 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1388 wrote to memory of 3380 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1388 wrote to memory of 3380 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4224 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4224 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4224 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 3784 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 3784 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 3784 wrote to memory of 2728 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 2728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 2728 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1684 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1684 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1684 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 576 wrote to memory of 3500 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 576 wrote to memory of 3500 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 576 wrote to memory of 3500 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 2728 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 2728 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 2728 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 920 wrote to memory of 4684 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 920 wrote to memory of 4684 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 920 wrote to memory of 4684 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 4684 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4684 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4684 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4684 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4684 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1628 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1628 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1628 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 2352 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 2352 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 2352 wrote to memory of 2996 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 4684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Windows\SysWOW64\WScript.exe
PID 2988 wrote to memory of 3056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 2988 wrote to memory of 3056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 2988 wrote to memory of 3056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
PID 3056 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3056 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3056 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3056 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3056 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 4980 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 4980 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe

"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF

Network

Country Destination Domain Proto
N/A 8.248.99.254:80 tcp
N/A 20.42.65.88:443 tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 newmoney2033.duckdns.org udp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 8.238.20.126:80 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 104.80.225.205:443 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp

Files

memory/4500-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe

MD5 65c10353f3a1e04ba6544d0bdd067407
SHA1 c934cd3938f7d5f58355f62f16178a0f83be6e8e
SHA256 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec
SHA512 e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/4224-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf

MD5 db84a61a890022c3d7c881d43591911c
SHA1 664dc6c1f53077284c8fc88ecc3ae889e01b070b
SHA256 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e
SHA512 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110

C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc

MD5 4a5a98a7a692404cbd3d5793472f2d7c
SHA1 116d732a0e062a8b4e2d31e7df4a1a3203a2f660
SHA256 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c
SHA512 a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d

C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker

MD5 fd775de8230221944054064964e45a81
SHA1 9074aee9eee109f2cba14b41255077923c83e5a6
SHA256 a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd
SHA512 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3

memory/3144-140-0x0000000000000000-mapping.dmp

memory/3144-141-0x0000000001300000-0x00000000018EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/3144-144-0x0000000001300000-0x000000000138A000-memory.dmp

memory/1388-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/3380-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/3784-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs

MD5 b9dd80c0a5131937d5bd1fc33d499d06
SHA1 3158321e7b63e78b86dbd9226156717f9f3c246f
SHA256 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb
SHA512 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea

memory/2728-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

memory/1684-154-0x0000000000000000-mapping.dmp

memory/1684-155-0x0000000000900000-0x000000000104F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1684-159-0x0000000000900000-0x000000000098A000-memory.dmp

memory/576-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/3500-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/920-164-0x0000000000000000-mapping.dmp

memory/4684-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1628-168-0x0000000000000000-mapping.dmp

memory/1628-169-0x0000000001200000-0x00000000016CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/1628-172-0x0000000001200000-0x000000000128A000-memory.dmp

memory/2352-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2996-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2988-177-0x0000000000000000-mapping.dmp

memory/3056-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4980-181-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4980-182-0x0000000000700000-0x0000000000BCD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4980-185-0x0000000000700000-0x000000000078A000-memory.dmp

memory/4576-186-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/440-189-0x0000000000000000-mapping.dmp

memory/1104-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1584-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4724-194-0x0000000000000000-mapping.dmp

memory/4724-195-0x0000000000400000-0x00000000008BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4724-198-0x0000000000400000-0x000000000048A000-memory.dmp

memory/5004-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1028-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1032-203-0x0000000000000000-mapping.dmp

memory/2312-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe

MD5 440231e2782ad3138eebc85cc813fd00
SHA1 af0d3f0e253c017655c39cd2e5917b3c949d39d5
SHA256 d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c
SHA512 d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa