Analysis Overview
SHA256
a2f3ffda7ff60101962f01bf24faeb3537edb6cbf7670dfdc9f62ed3ee65fbea
Threat Level: Known bad
The file 3f73719885ad1f1beafd8f6b9589fd47.exe was found to be: Known bad.
Malicious Activity Summary
WSHRAT
NanoCore
WSHRAT payload
Executes dropped EXE
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-16 17:16
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-16 17:16
Reported
2022-11-16 17:18
Platform
win10v2004-20220812-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4856 set thread context of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4360 set thread context of 3984 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 744 set thread context of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 5028 set thread context of 4740 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3324 set thread context of 4256 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe
"C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe"
C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
"C:\Users\Admin\AppData\Local\temp\2_41\test file.exe" ä¼ŠèŽŽè´æ‹‰25ç¾Žåˆ†ç¡¬å¸æ˜¯1893å¹´é“¸é€ çš„ä¸€ç§ç¾Žå›½çºªå¿µå¸ï¼Œç”±è”邦国会应èŠåŠ å“¥å“¥ä¼¦å¸ƒçºªå¿µåšè§ˆä¼šå¥³å£«ç»ç†äººè‘£äº‹ä¼šçš„请求授æƒå‘行。
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe"
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
"C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe" xccsbp.vlf
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6FC6.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | newmoney2033.duckdns.org | udp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 40.79.141.153:443 | tcp | |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
Files
memory/1300-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
memory/2768-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe
| MD5 | a56332f161b32fcd30f48ac8a66975e8 |
| SHA1 | 3c9dda1587ae925c492ffab42bb55ef27f54fe7f |
| SHA256 | 36893fd0ecb7b83e5af0581f5df677a65a01808e18edaa95530cdfdad45cf0a9 |
| SHA512 | 47b4584756bd2639f33f148911ff562a3a070b857112c51138ef228430b4b38b7eb3881917b0a159b5914b0f5a3591e85429ae231f202b20c59c10c05c2ddd92 |
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/1300-138-0x0000000072EA0000-0x0000000073451000-memory.dmp
memory/4856-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
C:\Users\Admin\AppData\Local\Temp\2_41\xccsbp.vlf
| MD5 | e49659c07ebff776159f1beb52d42388 |
| SHA1 | d2e99e21830af1e4ae96f7a77c73ffe8ddd123a4 |
| SHA256 | 0d83d6e9ef379af14333b94d049547b5b8a4f35afcd25cc3b95ab2bf5e077117 |
| SHA512 | c6ee65e2cdcf68f78438de79b003ca6f7fb537746b927f715f25cb451a14e51150ff4e70c9df565b1ec86ed0997ab4860c244fcb2ed623f6719482fd94c12815 |
memory/1524-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6FC6.tmp
| MD5 | a220d91757de399952b90c35eeecf792 |
| SHA1 | ea298bd9a2e6bd50068452cd8a5b979796fada71 |
| SHA256 | 80682948d9e9a49fa0178623808cf4507fd6c1123b248abe4e8fa2bc52ef4c50 |
| SHA512 | c6cc0629c6696117a0f0e04ed1844a354ea4e202982463a0deb7a9196d35f007d4928f0556db4bcde94d3d5be4cda7d5d5157784a441035877f288c4f2aa22ac |
C:\Users\Admin\AppData\Local\Temp\2_41\lhjgib.jpg
| MD5 | 4f465f14923a494e8859dbba24220b73 |
| SHA1 | f48e8e8e3effea4198d7959522bb324832dde5f1 |
| SHA256 | 26a133075b6be4ce1eaa4db17934f0c04566b134956f3c812ec15ce49b18b38c |
| SHA512 | cb450623e42ffd8541519002e2e96aadcba69b6b8e4c8ee914d5b3a3f346646a64479e2c1095a1378023ce2dc6c5aaad74e0600ee2addcfc08030683d630f9ec |
memory/1300-145-0x0000000072EA0000-0x0000000073451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\lpwbjuoh.nij
| MD5 | 7c96d13a20336ad9faebd5e285971268 |
| SHA1 | 8409f340067cb2504d6ef27868c619cb76983074 |
| SHA256 | d82b29c882634308da49dcdf9ba8c185785cc4d7f8ec3a9cc2bf879ffecae582 |
| SHA512 | b96138c07fff116944fac53df077cd5e6012e7c8c0a11af324ca80a095fe650fb256beda6f0d56b9be03965a0ef7b5d87d69cfc08dfc59d9756f317bfeb87465 |
memory/1048-147-0x0000000000000000-mapping.dmp
memory/1048-148-0x0000000001300000-0x0000000002300000-memory.dmp
memory/1048-149-0x0000000001300000-0x000000000138A000-memory.dmp
memory/1152-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1060-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4320-155-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs
| MD5 | c03b2eecc2088d3a7d9b13cad82e52a3 |
| SHA1 | 1f02fa3c133606411f31dd7f779940bd614fcb3b |
| SHA256 | 1884da07b862d8c4075ea87cea80c47b0f8157976d60e0fc30645eb04515bb06 |
| SHA512 | 81c3bb353b66519861b2949c9f3928ad1338a4afd70d213ca87529d84bb54933463f7ab79104b48319fb7e39d7dce833047a8d189e5778924b4275523b9ae855 |
memory/4360-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/3984-159-0x0000000000000000-mapping.dmp
memory/3984-160-0x0000000000B00000-0x0000000001B00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
memory/3984-162-0x0000000000B00000-0x0000000000B8A000-memory.dmp
memory/1588-163-0x0000000000000000-mapping.dmp
memory/1744-164-0x0000000000000000-mapping.dmp
memory/744-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/4924-167-0x0000000000000000-mapping.dmp
memory/4924-168-0x0000000000700000-0x0000000001700000-memory.dmp
memory/4924-169-0x0000000000700000-0x000000000078A000-memory.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/5036-171-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2028-173-0x0000000000000000-mapping.dmp
memory/1104-175-0x0000000000000000-mapping.dmp
memory/5028-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4740-179-0x0000000000000000-mapping.dmp
memory/4740-180-0x0000000001210000-0x0000000002210000-memory.dmp
memory/4740-181-0x0000000001210000-0x000000000129A000-memory.dmp
memory/3212-182-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1452-184-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/908-186-0x0000000000000000-mapping.dmp
memory/3324-187-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4256-190-0x0000000000000000-mapping.dmp
memory/4256-191-0x0000000001120000-0x0000000002120000-memory.dmp
memory/4256-192-0x0000000001120000-0x00000000011AA000-memory.dmp
memory/964-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2512-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/4176-197-0x0000000000000000-mapping.dmp
memory/3756-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-16 17:16
Reported
2022-11-16 17:18
Platform
win7-20221111-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
NanoCore
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs | C:\Windows\SysWOW64\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmBqH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WmBqH.vbs\"" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\software\microsoft\windows\currentversion\run | C:\Windows\SysWOW64\wscript.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1536 set thread context of 1404 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 912 set thread context of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 280 set thread context of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 856 set thread context of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\temp\2_41\test file.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe
"C:\Users\Admin\AppData\Local\Temp\3f73719885ad1f1beafd8f6b9589fd47.exe"
C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
"C:\Users\Admin\AppData\Local\temp\2_41\test file.exe" ä¼ŠèŽŽè´æ‹‰25ç¾Žåˆ†ç¡¬å¸æ˜¯1893å¹´é“¸é€ çš„ä¸€ç§ç¾Žå›½çºªå¿µå¸ï¼Œç”±è”邦国会应èŠåŠ å“¥å“¥ä¼¦å¸ƒçºªå¿µåšè§ˆä¼šå¥³å£«ç»ç†äººè‘£äº‹ä¼šçš„请求授æƒå‘行。
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe"
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
"C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe" xccsbp.vlf
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE15.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\WmBqH.vbs"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs"
C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE
"C:\Users\Admin\AppData\Local\Temp\2_41\FAKSDK~1.EXE" xccsbp.vlf
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | newmoney2033.duckdns.org | udp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 127.0.0.1:6969 | tcp | |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | concideritdone.duckdns.org | udp |
| N/A | 156.96.44.168:6969 | concideritdone.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
| N/A | 192.99.255.74:5000 | newmoney2033.duckdns.org | tcp |
Files
memory/1892-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp
\Users\Admin\AppData\Local\Temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
\Users\Admin\AppData\Local\Temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
\Users\Admin\AppData\Local\Temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
\Users\Admin\AppData\Local\Temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
C:\Users\Admin\AppData\Local\Temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
memory/2032-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\2_41\test file.exe
| MD5 | 1f09eca585c701bbbf4a63ce5e1771f6 |
| SHA1 | 8b3405e33b91e3d6b3860afa86e6c98a5e908abb |
| SHA256 | b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b |
| SHA512 | 4a28f0ea613ad9ad0f1f33dac804b6918da75a509cd7dea04bc9fc2cb89cffe85eacc187811baf8f4b6e9de22e51ec9fe2ab3939ec311eb0b7bb877aa3f2215c |
memory/1640-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\temp\2_41\feudamoc.vbe
| MD5 | a56332f161b32fcd30f48ac8a66975e8 |
| SHA1 | 3c9dda1587ae925c492ffab42bb55ef27f54fe7f |
| SHA256 | 36893fd0ecb7b83e5af0581f5df677a65a01808e18edaa95530cdfdad45cf0a9 |
| SHA512 | 47b4584756bd2639f33f148911ff562a3a070b857112c51138ef228430b4b38b7eb3881917b0a159b5914b0f5a3591e85429ae231f202b20c59c10c05c2ddd92 |
memory/2032-66-0x0000000073B40000-0x00000000740EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/1536-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
C:\Users\Admin\AppData\Local\Temp\2_41\xccsbp.vlf
| MD5 | e49659c07ebff776159f1beb52d42388 |
| SHA1 | d2e99e21830af1e4ae96f7a77c73ffe8ddd123a4 |
| SHA256 | 0d83d6e9ef379af14333b94d049547b5b8a4f35afcd25cc3b95ab2bf5e077117 |
| SHA512 | c6ee65e2cdcf68f78438de79b003ca6f7fb537746b927f715f25cb451a14e51150ff4e70c9df565b1ec86ed0997ab4860c244fcb2ed623f6719482fd94c12815 |
memory/1488-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE15.tmp
| MD5 | a220d91757de399952b90c35eeecf792 |
| SHA1 | ea298bd9a2e6bd50068452cd8a5b979796fada71 |
| SHA256 | 80682948d9e9a49fa0178623808cf4507fd6c1123b248abe4e8fa2bc52ef4c50 |
| SHA512 | c6cc0629c6696117a0f0e04ed1844a354ea4e202982463a0deb7a9196d35f007d4928f0556db4bcde94d3d5be4cda7d5d5157784a441035877f288c4f2aa22ac |
C:\Users\Admin\AppData\Local\Temp\2_41\lhjgib.jpg
| MD5 | 4f465f14923a494e8859dbba24220b73 |
| SHA1 | f48e8e8e3effea4198d7959522bb324832dde5f1 |
| SHA256 | 26a133075b6be4ce1eaa4db17934f0c04566b134956f3c812ec15ce49b18b38c |
| SHA512 | cb450623e42ffd8541519002e2e96aadcba69b6b8e4c8ee914d5b3a3f346646a64479e2c1095a1378023ce2dc6c5aaad74e0600ee2addcfc08030683d630f9ec |
memory/2032-76-0x0000000073B40000-0x00000000740EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\lpwbjuoh.nij
| MD5 | 7c96d13a20336ad9faebd5e285971268 |
| SHA1 | 8409f340067cb2504d6ef27868c619cb76983074 |
| SHA256 | d82b29c882634308da49dcdf9ba8c185785cc4d7f8ec3a9cc2bf879ffecae582 |
| SHA512 | b96138c07fff116944fac53df077cd5e6012e7c8c0a11af324ca80a095fe650fb256beda6f0d56b9be03965a0ef7b5d87d69cfc08dfc59d9756f317bfeb87465 |
memory/1404-78-0x0000000000A60000-0x0000000001A60000-memory.dmp
memory/1404-80-0x0000000000A60000-0x0000000001A60000-memory.dmp
memory/1404-81-0x0000000000AE42BE-mapping.dmp
memory/1404-83-0x0000000000A60000-0x0000000001A60000-memory.dmp
memory/1404-85-0x0000000000A60000-0x0000000001A60000-memory.dmp
memory/1404-86-0x0000000000A60000-0x0000000000AEA000-memory.dmp
memory/1992-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1940-90-0x0000000000000000-mapping.dmp
memory/1900-91-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Local\Temp\2_41\run.vbs
| MD5 | c03b2eecc2088d3a7d9b13cad82e52a3 |
| SHA1 | 1f02fa3c133606411f31dd7f779940bd614fcb3b |
| SHA256 | 1884da07b862d8c4075ea87cea80c47b0f8157976d60e0fc30645eb04515bb06 |
| SHA512 | 81c3bb353b66519861b2949c9f3928ad1338a4afd70d213ca87529d84bb54933463f7ab79104b48319fb7e39d7dce833047a8d189e5778924b4275523b9ae855 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/912-99-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/1812-105-0x00000000004642BE-mapping.dmp
memory/1812-104-0x00000000003E0000-0x00000000013E0000-memory.dmp
memory/1812-107-0x00000000003E0000-0x00000000013E0000-memory.dmp
memory/1812-109-0x00000000003E0000-0x00000000013E0000-memory.dmp
memory/1812-110-0x00000000003E0000-0x000000000046A000-memory.dmp
memory/2044-111-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/940-114-0x0000000000000000-mapping.dmp
memory/592-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/280-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/1144-125-0x0000000000390000-0x0000000001390000-memory.dmp
memory/1144-126-0x00000000004142BE-mapping.dmp
memory/1144-128-0x0000000000390000-0x0000000001390000-memory.dmp
memory/1144-130-0x0000000000390000-0x0000000001390000-memory.dmp
memory/1144-131-0x0000000000390000-0x000000000041A000-memory.dmp
memory/2020-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/2044-135-0x0000000000000000-mapping.dmp
memory/2036-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/856-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/1316-147-0x00000000003442BE-mapping.dmp
memory/1316-146-0x00000000002C0000-0x00000000012C0000-memory.dmp
memory/1316-149-0x00000000002C0000-0x00000000012C0000-memory.dmp
memory/1316-151-0x00000000002C0000-0x00000000012C0000-memory.dmp
memory/1316-152-0x00000000002C0000-0x000000000034A000-memory.dmp
memory/1936-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/812-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
memory/300-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmBqH.vbs
| MD5 | a2c40a28f05614c3d68c9c9727fa9584 |
| SHA1 | c9d7c014564072d2ea951ede6718632c20a5cd48 |
| SHA256 | 40a21327272d9c522a6061a595c640a33780a59a1cab0cc93706bb28a67891b7 |
| SHA512 | 36beb41f0679d04fb60ebfdd0f60eb7b862591bc91bd1c93b66619213d13ef7a4b0b81d8c38d4a65870bb6163d00234af2f8fbccdb11311d4d0a12f8ee13c2aa |
\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |
memory/1108-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2_41\faksdkoas.exe
| MD5 | 04f0c3f70461916af763532c37542cbc |
| SHA1 | cc224f14986caa4bb5a5f74ba987702492938d8b |
| SHA256 | 9627afb0cbf7be37b214254ec758cd1b33bde61eff49cca58c87e66e670073a9 |
| SHA512 | 86219a977a82447294b314f5a610ab58ab9e6ff93f9c480eb50910954b1c861cd91148315b68e5c64e0a6f96c6b0d652de22fbc04c6f493092703784737b034e |