Malware Analysis Report

2025-01-18 12:20

Sample ID 221116-vs4xtscb66
Target 3f73719885ad1f1beafd8f6b9589fd47.exe
SHA256 a2f3ffda7ff60101962f01bf24faeb3537edb6cbf7670dfdc9f62ed3ee65fbea
Tags
nanocore wshrat evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2f3ffda7ff60101962f01bf24faeb3537edb6cbf7670dfdc9f62ed3ee65fbea

Threat Level: Known bad

The file 3f73719885ad1f1beafd8f6b9589fd47.exe was found to be: Known bad.

Malicious Activity Summary

nanocore wshrat evasion keylogger persistence spyware stealer trojan

WSHRAT

NanoCore

WSHRAT payload

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 17:16

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 17:16

Reported

2022-11-16 17:18

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4244 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 4244 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 4244 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 4244 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 4244 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 4244 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 2768 wrote to memory of 4856 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 2768 wrote to memory of 4856 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 2768 wrote to memory of 4856 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1300 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 1300 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 4856 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4856 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4856 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4856 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4856 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1048 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1048 wrote to memory of 1152 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1152 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1152 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1152 wrote to memory of 1060 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 4856 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 4856 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 4856 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 4320 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 4320 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 4320 wrote to memory of 4360 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 4360 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4360 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4360 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4360 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4360 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3984 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3984 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 3984 wrote to memory of 1588 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 4360 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 4360 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 4360 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 1744 wrote to memory of 744 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1744 wrote to memory of 744 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1744 wrote to memory of 744 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 744 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4924 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 4924 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 4924 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 5036 wrote to memory of 2028 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 5036 wrote to memory of 2028 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 5036 wrote to memory of 2028 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 744 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 744 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 744 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 1104 wrote to memory of 5028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1104 wrote to memory of 5028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1104 wrote to memory of 5028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 5028 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5028 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5028 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5028 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe

"C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe"

C:\Users\Admin\AppData\Local\temp\2_41\test file.exe

"C:\Users\Admin\AppData\Local\temp\2_41\test file.exe" 伊莎贝拉25美分硬币是1893年铸造的一种美国纪念币,由联邦国会应芝加哥哥伦布纪念博览会女士经理人董事会的请求授权发行。

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe"

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

"C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe" xccsbp.vlf

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6FC6.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 newmoney2033.duckdns.org udp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 40.79.141.153:443 tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 93.184.221.240:80 tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 93.184.220.29:80 tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp

Files

memory/1300-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

C:\Users\Admin\AppData\Local\temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

memory/2768-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe

MD5 a56332f161b32fcd30f48ac8a66975e8
SHA1 3c9dda1587ae925c492ffab42bb55ef27f54fe7f
SHA256 36893fd0ecb7b83e5af0581f5df677a65a01808e18edaa95530cdfdad45cf0a9
SHA512 47b4584756bd2639f33f148911ff562a3a070b857112c51138ef228430b4b38b7eb3881917b0a159b5914b0f5a3591e85429ae231f202b20c59c10c05c2ddd92

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/1300-138-0x0000000072EA0000-0x0000000073451000-memory.dmp

memory/4856-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

C:\Users\Admin\AppData\Local\Temp\2_41\xccsbp.vlf

MD5 e49659c07ebff776159f1beb52d42388
SHA1 d2e99e21830af1e4ae96f7a77c73ffe8ddd123a4
SHA256 0d83d6e9ef379af14333b94d049547b5b8a4f35afcd25cc3b95ab2bf5e077117
SHA512 c6ee65e2cdcf68f78438de79b003ca6f7fb537746b927f715f25cb451a14e51150ff4e70c9df565b1ec86ed0997ab4860c244fcb2ed623f6719482fd94c12815

memory/1524-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6FC6.tmp

MD5 a220d91757de399952b90c35eeecf792
SHA1 ea298bd9a2e6bd50068452cd8a5b979796fada71
SHA256 80682948d9e9a49fa0178623808cf4507fd6c1123b248abe4e8fa2bc52ef4c50
SHA512 c6cc0629c6696117a0f0e04ed1844a354ea4e202982463a0deb7a9196d35f007d4928f0556db4bcde94d3d5be4cda7d5d5157784a441035877f288c4f2aa22ac

C:\Users\Admin\AppData\Local\Temp\2_41\lhjgib.jpg

MD5 4f465f14923a494e8859dbba24220b73
SHA1 f48e8e8e3effea4198d7959522bb324832dde5f1
SHA256 26a133075b6be4ce1eaa4db17934f0c04566b134956f3c812ec15ce49b18b38c
SHA512 cb450623e42ffd8541519002e2e96aadcba69b6b8e4c8ee914d5b3a3f346646a64479e2c1095a1378023ce2dc6c5aaad74e0600ee2addcfc08030683d630f9ec

memory/1300-145-0x0000000072EA0000-0x0000000073451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\lpwbjuoh.nij

MD5 7c96d13a20336ad9faebd5e285971268
SHA1 8409f340067cb2504d6ef27868c619cb76983074
SHA256 d82b29c882634308da49dcdf9ba8c185785cc4d7f8ec3a9cc2bf879ffecae582
SHA512 b96138c07fff116944fac53df077cd5e6012e7c8c0a11af324ca80a095fe650fb256beda6f0d56b9be03965a0ef7b5d87d69cfc08dfc59d9756f317bfeb87465

memory/1048-147-0x0000000000000000-mapping.dmp

memory/1048-148-0x0000000001300000-0x0000000002300000-memory.dmp

memory/1048-149-0x0000000001300000-0x000000000138A000-memory.dmp

memory/1152-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1060-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4320-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs

MD5 c03b2eecc2088d3a7d9b13cad82e52a3
SHA1 1f02fa3c133606411f31dd7f779940bd614fcb3b
SHA256 1884da07b862d8c4075ea87cea80c47b0f8157976d60e0fc30645eb04515bb06
SHA512 81c3bb353b66519861b2949c9f3928ad1338a4afd70d213ca87529d84bb54933463f7ab79104b48319fb7e39d7dce833047a8d189e5778924b4275523b9ae855

memory/4360-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/3984-159-0x0000000000000000-mapping.dmp

memory/3984-160-0x0000000000B00000-0x0000000001B00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3984-162-0x0000000000B00000-0x0000000000B8A000-memory.dmp

memory/1588-163-0x0000000000000000-mapping.dmp

memory/1744-164-0x0000000000000000-mapping.dmp

memory/744-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/4924-167-0x0000000000000000-mapping.dmp

memory/4924-168-0x0000000000700000-0x0000000001700000-memory.dmp

memory/4924-169-0x0000000000700000-0x000000000078A000-memory.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/5036-171-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2028-173-0x0000000000000000-mapping.dmp

memory/1104-175-0x0000000000000000-mapping.dmp

memory/5028-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4740-179-0x0000000000000000-mapping.dmp

memory/4740-180-0x0000000001210000-0x0000000002210000-memory.dmp

memory/4740-181-0x0000000001210000-0x000000000129A000-memory.dmp

memory/3212-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1452-184-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/908-186-0x0000000000000000-mapping.dmp

memory/3324-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4256-190-0x0000000000000000-mapping.dmp

memory/4256-191-0x0000000001120000-0x0000000002120000-memory.dmp

memory/4256-192-0x0000000001120000-0x00000000011AA000-memory.dmp

memory/964-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2512-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/4176-197-0x0000000000000000-mapping.dmp

memory/3756-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 17:16

Reported

2022-11-16 17:18

Platform

win7-20221111-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 1892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 1892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 1892 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
PID 1892 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe C:\Windows\SysWOW64\WScript.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 1640 wrote to memory of 1536 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
PID 2032 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\temp\2_41\test file.exe C:\Windows\SysWOW64\schtasks.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1536 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1404 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1404 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1404 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1404 wrote to memory of 1992 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1992 wrote to memory of 1940 N/A C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
PID 1536 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 1536 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 1536 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 1536 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe C:\Windows\SysWOW64\WScript.exe
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 1900 wrote to memory of 912 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 912 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 1812 wrote to memory of 2044 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\wscript.exe
PID 912 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 912 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 912 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe
PID 912 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe

"C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe"

C:\Users\Admin\AppData\Local\temp\2_41\test file.exe

"C:\Users\Admin\AppData\Local\temp\2_41\test file.exe" 伊莎贝拉25美分硬币是1893年铸造的一种美国纪念币,由联邦国会应芝加哥哥伦布纪念博览会女士经理人董事会的请求授权发行。

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe"

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

"C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe" xccsbp.vlf

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE15.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"

C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE

"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 newmoney2033.duckdns.org udp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp
N/A 192.99.255.74:5000 newmoney2033.duckdns.org tcp

Files

memory/1892-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

\Users\Admin\AppData\Local\Temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

\Users\Admin\AppData\Local\Temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

\Users\Admin\AppData\Local\Temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

\Users\Admin\AppData\Local\Temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

C:\Users\Admin\AppData\Local\Temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

memory/2032-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\2_41\test file.exe

MD5 1f09eca585c701bbbf4a63ce5e1771f6
SHA1 8b3405e33b91e3d6b3860afa86e6c98a5e908abb
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
SHA512 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c

memory/1640-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe

MD5 a56332f161b32fcd30f48ac8a66975e8
SHA1 3c9dda1587ae925c492ffab42bb55ef27f54fe7f
SHA256 36893fd0ecb7b83e5af0581f5df677a65a01808e18edaa95530cdfdad45cf0a9
SHA512 47b4584756bd2639f33f148911ff562a3a070b857112c51138ef228430b4b38b7eb3881917b0a159b5914b0f5a3591e85429ae231f202b20c59c10c05c2ddd92

memory/2032-66-0x0000000073B40000-0x00000000740EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/1536-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

C:\Users\Admin\AppData\Local\Temp\2_41\xccsbp.vlf

MD5 e49659c07ebff776159f1beb52d42388
SHA1 d2e99e21830af1e4ae96f7a77c73ffe8ddd123a4
SHA256 0d83d6e9ef379af14333b94d049547b5b8a4f35afcd25cc3b95ab2bf5e077117
SHA512 c6ee65e2cdcf68f78438de79b003ca6f7fb537746b927f715f25cb451a14e51150ff4e70c9df565b1ec86ed0997ab4860c244fcb2ed623f6719482fd94c12815

memory/1488-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE15.tmp

MD5 a220d91757de399952b90c35eeecf792
SHA1 ea298bd9a2e6bd50068452cd8a5b979796fada71
SHA256 80682948d9e9a49fa0178623808cf4507fd6c1123b248abe4e8fa2bc52ef4c50
SHA512 c6cc0629c6696117a0f0e04ed1844a354ea4e202982463a0deb7a9196d35f007d4928f0556db4bcde94d3d5be4cda7d5d5157784a441035877f288c4f2aa22ac

C:\Users\Admin\AppData\Local\Temp\2_41\lhjgib.jpg

MD5 4f465f14923a494e8859dbba24220b73
SHA1 f48e8e8e3effea4198d7959522bb324832dde5f1
SHA256 26a133075b6be4ce1eaa4db17934f0c04566b134956f3c812ec15ce49b18b38c
SHA512 cb450623e42ffd8541519002e2e96aadcba69b6b8e4c8ee914d5b3a3f346646a64479e2c1095a1378023ce2dc6c5aaad74e0600ee2addcfc08030683d630f9ec

memory/2032-76-0x0000000073B40000-0x00000000740EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\lpwbjuoh.nij

MD5 7c96d13a20336ad9faebd5e285971268
SHA1 8409f340067cb2504d6ef27868c619cb76983074
SHA256 d82b29c882634308da49dcdf9ba8c185785cc4d7f8ec3a9cc2bf879ffecae582
SHA512 b96138c07fff116944fac53df077cd5e6012e7c8c0a11af324ca80a095fe650fb256beda6f0d56b9be03965a0ef7b5d87d69cfc08dfc59d9756f317bfeb87465

memory/1404-78-0x0000000000A60000-0x0000000001A60000-memory.dmp

memory/1404-80-0x0000000000A60000-0x0000000001A60000-memory.dmp

memory/1404-81-0x0000000000AE42BE-mapping.dmp

memory/1404-83-0x0000000000A60000-0x0000000001A60000-memory.dmp

memory/1404-85-0x0000000000A60000-0x0000000001A60000-memory.dmp

memory/1404-86-0x0000000000A60000-0x0000000000AEA000-memory.dmp

memory/1992-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1940-90-0x0000000000000000-mapping.dmp

memory/1900-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs

MD5 c03b2eecc2088d3a7d9b13cad82e52a3
SHA1 1f02fa3c133606411f31dd7f779940bd614fcb3b
SHA256 1884da07b862d8c4075ea87cea80c47b0f8157976d60e0fc30645eb04515bb06
SHA512 81c3bb353b66519861b2949c9f3928ad1338a4afd70d213ca87529d84bb54933463f7ab79104b48319fb7e39d7dce833047a8d189e5778924b4275523b9ae855

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/912-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/1812-105-0x00000000004642BE-mapping.dmp

memory/1812-104-0x00000000003E0000-0x00000000013E0000-memory.dmp

memory/1812-107-0x00000000003E0000-0x00000000013E0000-memory.dmp

memory/1812-109-0x00000000003E0000-0x00000000013E0000-memory.dmp

memory/1812-110-0x00000000003E0000-0x000000000046A000-memory.dmp

memory/2044-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/940-114-0x0000000000000000-mapping.dmp

memory/592-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/280-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/1144-125-0x0000000000390000-0x0000000001390000-memory.dmp

memory/1144-126-0x00000000004142BE-mapping.dmp

memory/1144-128-0x0000000000390000-0x0000000001390000-memory.dmp

memory/1144-130-0x0000000000390000-0x0000000001390000-memory.dmp

memory/1144-131-0x0000000000390000-0x000000000041A000-memory.dmp

memory/2020-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/2044-135-0x0000000000000000-mapping.dmp

memory/2036-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/856-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/1316-147-0x00000000003442BE-mapping.dmp

memory/1316-146-0x00000000002C0000-0x00000000012C0000-memory.dmp

memory/1316-149-0x00000000002C0000-0x00000000012C0000-memory.dmp

memory/1316-151-0x00000000002C0000-0x00000000012C0000-memory.dmp

memory/1316-152-0x00000000002C0000-0x000000000034A000-memory.dmp

memory/1936-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/812-156-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

memory/300-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs

MD5 a2c40a28f05614c3d68c9c9727fa9584
SHA1 c9d7c014564072d2ea951ede6718632c20a5cd48
SHA256 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7
SHA512 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa

\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e

memory/1108-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe

MD5 04f0c3f70461916af763532c37542cbc
SHA1 cc224f14986caa4bb5a5f74ba987702492938d8b
SHA256 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9
SHA512 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e