Analysis Overview
SHA256
fb0a09ef2540b7dfc9e6f5e17deffb65337c41429b3d2753653aad92e6df8d16
Threat Level: Known bad
The file IMG-NEW-PO-LIST-993837665598576.exe was found to be: Known bad.
Malicious Activity Summary
WSHRAT payload
WSHRAT
Blocklisted process makes network request
Executes dropped EXE
Disables Task Manager via registry modification
Loads dropped DLL
Drops startup file
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-16 08:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-16 08:43
Reported
2022-11-16 08:45
Platform
win7-20220812-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1492 set thread context of 1704 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 1416 set thread context of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 396 set thread context of 960 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 1712 set thread context of 1140 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | newmoney2033.duckdns.org | udp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | tcp |
Files
memory/740-54-0x0000000075A81000-0x0000000075A83000-memory.dmp
memory/1124-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe
| MD5 | 65c10353f3a1e04ba6544d0bdd067407 |
| SHA1 | c934cd3938f7d5f58355f62f16178a0f83be6e8e |
| SHA256 | 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec |
| SHA512 | e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8 |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1492-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf
| MD5 | db84a61a890022c3d7c881d43591911c |
| SHA1 | 664dc6c1f53077284c8fc88ecc3ae889e01b070b |
| SHA256 | 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e |
| SHA512 | 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110 |
C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc
| MD5 | 4a5a98a7a692404cbd3d5793472f2d7c |
| SHA1 | 116d732a0e062a8b4e2d31e7df4a1a3203a2f660 |
| SHA256 | 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c |
| SHA512 | a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d |
C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker
| MD5 | fd775de8230221944054064964e45a81 |
| SHA1 | 9074aee9eee109f2cba14b41255077923c83e5a6 |
| SHA256 | a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd |
| SHA512 | 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1704-67-0x00000000003C0000-0x0000000000867000-memory.dmp
memory/1704-69-0x00000000003C0000-0x0000000000867000-memory.dmp
memory/1704-70-0x00000000004442BE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1704-73-0x00000000003C0000-0x0000000000867000-memory.dmp
memory/1704-75-0x00000000003C0000-0x0000000000867000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1704-77-0x00000000003C0000-0x000000000044A000-memory.dmp
memory/1616-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1272-81-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1460-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs
| MD5 | b9dd80c0a5131937d5bd1fc33d499d06 |
| SHA1 | 3158321e7b63e78b86dbd9226156717f9f3c246f |
| SHA256 | 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb |
| SHA512 | 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea |
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1416-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1472-93-0x0000000000380000-0x000000000084C000-memory.dmp
memory/1472-95-0x0000000000380000-0x000000000084C000-memory.dmp
memory/1472-96-0x00000000004042BE-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1472-99-0x0000000000380000-0x000000000084C000-memory.dmp
memory/1472-101-0x0000000000380000-0x000000000084C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1472-103-0x0000000000380000-0x000000000040A000-memory.dmp
memory/1308-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1656-107-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1364-109-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/396-113-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/960-118-0x00000000004C0000-0x0000000000BAC000-memory.dmp
memory/960-120-0x00000000004C0000-0x0000000000BAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/960-121-0x00000000005442BE-mapping.dmp
memory/960-124-0x00000000004C0000-0x0000000000BAC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/960-128-0x00000000004C0000-0x000000000054A000-memory.dmp
memory/960-126-0x00000000004C0000-0x0000000000BAC000-memory.dmp
memory/2008-129-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1500-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1628-134-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1712-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1140-142-0x00000000003D0000-0x000000000089D000-memory.dmp
memory/1140-144-0x00000000003D0000-0x000000000089D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1140-145-0x00000000004542BE-mapping.dmp
memory/1140-148-0x00000000003D0000-0x000000000089D000-memory.dmp
memory/1140-150-0x00000000003D0000-0x000000000089D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 0e06054beb13192588e745ee63a84173 |
| SHA1 | 30b7d4d1277bafd04a83779fd566a1f834a8d113 |
| SHA256 | c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768 |
| SHA512 | 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215 |
memory/1140-152-0x00000000003D0000-0x000000000045A000-memory.dmp
memory/1476-153-0x0000000000000000-mapping.dmp
memory/1756-154-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1720-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-16 08:43
Reported
2022-11-16 08:45
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\jbdg.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\10_92\\HFLJHV~1.PDF" | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4224 set thread context of 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 2728 set thread context of 1684 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 4684 set thread context of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 3056 set thread context of 4980 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
| PID 1584 set thread context of 4724 | N/A | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-NEW-PO-LIST-993837665598576.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" hfljhvpnk.pdf
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs"
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
"C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe" HFLJHV~1.PDF
Network
| Country | Destination | Domain | Proto |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 20.42.65.88:443 | tcp | |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | newmoney2033.duckdns.org | udp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 8.238.20.126:80 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
Files
memory/4500-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\10_92\nfdxe.vbe
| MD5 | 65c10353f3a1e04ba6544d0bdd067407 |
| SHA1 | c934cd3938f7d5f58355f62f16178a0f83be6e8e |
| SHA256 | 1022157457ef772806e5539771e7360e736a9f48efe4e6518fffb25098e785ec |
| SHA512 | e7b9e3bad7b0260c0b0c92ee0db6d00c56f9ce9eef6945063778ebec7b8091c7a94155d78e2b9b81bf2c0d2e4459b7e3862cb002b6bfe0e12da9c45a7cd1ceb8 |
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/4224-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Local\Temp\10_92\hfljhvpnk.pdf
| MD5 | db84a61a890022c3d7c881d43591911c |
| SHA1 | 664dc6c1f53077284c8fc88ecc3ae889e01b070b |
| SHA256 | 6fd431f51071ebb6b51dd3eb0bdc30a8bc78c9e02032dfbc80e6f6224c3aa81e |
| SHA512 | 29974508ba6008cb18284468fbc7da1b6e8fb45b71bb2f4fa046d20e3b8221b6da3f3a60ca47675d37a48737c1bc59686949a42862177463e6e713bc7a79f110 |
C:\Users\Admin\AppData\Local\Temp\10_92\cnmkv.msc
| MD5 | 4a5a98a7a692404cbd3d5793472f2d7c |
| SHA1 | 116d732a0e062a8b4e2d31e7df4a1a3203a2f660 |
| SHA256 | 9c3286e5b43ae3e2ae92eb6bec7e5e9b369414d0b65a1ed3268f77992c4cac7c |
| SHA512 | a4382ea8096e4f312d947385f3a97f679926f89d4984415add94d6dec3b0de3ee0af97986d14ac06401b03070f2cb712c6204b63f91cf919651de68363b24b1d |
C:\Users\Admin\AppData\Local\Temp\10_92\ombc.ker
| MD5 | fd775de8230221944054064964e45a81 |
| SHA1 | 9074aee9eee109f2cba14b41255077923c83e5a6 |
| SHA256 | a1a2726dd8d6c212981763ee5f27e3aff624f3c5c42bdf5f86c85e175c3109dd |
| SHA512 | 4a7b33a6a7cdd273d16e9e5d9f03cb4a656c47b9ef4222a17b89c9e5c74ae538b5928b0207823b71e23f5dfd2fe1300e6ad51d30849531cc96d8ae71ed0356f3 |
memory/3144-140-0x0000000000000000-mapping.dmp
memory/3144-141-0x0000000001300000-0x00000000018EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/3144-144-0x0000000001300000-0x000000000138A000-memory.dmp
memory/1388-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/3380-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/3784-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\run.vbs
| MD5 | b9dd80c0a5131937d5bd1fc33d499d06 |
| SHA1 | 3158321e7b63e78b86dbd9226156717f9f3c246f |
| SHA256 | 2e97c4a44b5ea5a035cf3ae37bd36e77e5aec35f49967868d0802dbfd0e9a0bb |
| SHA512 | 634ffd92d13d077b348fb1254d42b3c5b8dd11017cfc34c28197a93e1d5223c832519e9f94d0a5047e86d01f07af7b7f3b148370d14d9dcf1fe206a312a948ea |
memory/2728-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
memory/1684-154-0x0000000000000000-mapping.dmp
memory/1684-155-0x0000000000900000-0x000000000104F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/1684-159-0x0000000000900000-0x000000000098A000-memory.dmp
memory/576-160-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/3500-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/920-164-0x0000000000000000-mapping.dmp
memory/4684-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1628-168-0x0000000000000000-mapping.dmp
memory/1628-169-0x0000000001200000-0x00000000016CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/1628-172-0x0000000001200000-0x000000000128A000-memory.dmp
memory/2352-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2996-175-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2988-177-0x0000000000000000-mapping.dmp
memory/3056-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4980-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/4980-182-0x0000000000700000-0x0000000000BCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/4980-185-0x0000000000700000-0x000000000078A000-memory.dmp
memory/4576-186-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/440-189-0x0000000000000000-mapping.dmp
memory/1104-188-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1584-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4724-194-0x0000000000000000-mapping.dmp
memory/4724-195-0x0000000000400000-0x00000000008BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
| MD5 | 9d352bc46709f0cb5ec974633a0c3c94 |
| SHA1 | 1969771b2f022f9a86d77ac4d4d239becdf08d07 |
| SHA256 | 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390 |
| SHA512 | 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b |
memory/4724-198-0x0000000000400000-0x000000000048A000-memory.dmp
memory/5004-199-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1028-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1032-203-0x0000000000000000-mapping.dmp
memory/2312-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10_92\jbdg.exe
| MD5 | 440231e2782ad3138eebc85cc813fd00 |
| SHA1 | af0d3f0e253c017655c39cd2e5917b3c949d39d5 |
| SHA256 | d2ec3f81514c09342a65b5d3509329eb6f2d1ee2a109f5d9ded271309b03ce3c |
| SHA512 | d6683a1ad68d43ed35adff9d1e850e20241a5c0f87c76d95cd5225d26a328a49fe434458ae9319e611fc94c207cf89f8b74dc0ffed210ea86c0dcc974f737c25 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |