Malware Analysis Report

2025-06-16 06:17

Sample ID 230503-ppgegaef86
Target e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe
SHA256 e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395
Tags
darkcloud persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395

Threat Level: Known bad

The file e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe was found to be: Known bad.

Malicious Activity Summary

darkcloud persistence stealer

DarkCloud

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-03 12:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-03 12:30

Reported

2023-05-03 12:32

Platform

win7-20230220-en

Max time kernel

35s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"

Signatures

DarkCloud

stealer darkcloud

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\kjnoepc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\wdnwqnp.msc" C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1360 set thread context of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 2012 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 2012 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 2012 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 300 wrote to memory of 1360 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 300 wrote to memory of 1360 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 300 wrote to memory of 1360 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 300 wrote to memory of 1360 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1360 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe

"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" Update-ru.u.vbe

C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

"C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif" wdnwqnp.msc

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\temp\vsbo\Update-ru.u.vbe

MD5 fd341bcb4b6d49d85ce7a6f5cd41189c
SHA1 61bb21e3a95a482ee2bd56afa5988ce3d6d70305
SHA256 49682c4ff8ce861f43dfebae6bd90b6ad4d5767dd1c23d88b8ee7c8c700840fa
SHA512 27993836fd1d58e6e296736df124c49e3aa75fd1f8cb70074cfb0007b238ab842560aae1fc7e29cc06d37358811cf9f7005944517d46b79f8669373ef9c67b14

C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

MD5 b89e79a5a62c0264887be1c4ffae159d
SHA1 d682713d6dce62f880e3c47f0745f0869a928167
SHA256 1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512 dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

MD5 b89e79a5a62c0264887be1c4ffae159d
SHA1 d682713d6dce62f880e3c47f0745f0869a928167
SHA256 1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512 dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

MD5 b89e79a5a62c0264887be1c4ffae159d
SHA1 d682713d6dce62f880e3c47f0745f0869a928167
SHA256 1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512 dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

C:\Users\Admin\AppData\Local\Temp\vsbo\wdnwqnp.msc

MD5 ff9335ab2246b275af6f3d74ae9a990e
SHA1 214327ef48e858f8e980ee97b174225441770dbb
SHA256 c6cf8e1b8c95ad76f9bf1cd8d2e8aa59d08b5a6d968cae992415dc9d8a7167e5
SHA512 97ffb7effd04cf3108b7b84911b3bccbbe16f919322cc489695f9c63826472a1c891da82b85cb1ac041fad934a911566d587124627c5cc4c66d5d6d3e197dc15

C:\Users\Admin\AppData\Local\Temp\vsbo\oejuf.pdf

MD5 91e9ffe8f25752e6bf3b68772c1597c3
SHA1 3e4b2f8c1fa1f43b2446c31892a12c53c19d70b0
SHA256 e0bf95af30877dc005c3a4188b07acec9f8304c6077f94bb6601141945b94669
SHA512 8c15224737894a0f0b2a8f9a771d22b16ed8acbeba70d660e73fadf3905aa550ef574dc1cb1935f89d9ca47dfe3a81b63687591a5f62a6e81afad59d9651b09a

C:\Users\Admin\AppData\Local\Temp\vsbo\KMEDFD~1.PHQ

MD5 eaead7d8d4ba97c305489a6ddbd159b2
SHA1 0fba620f34155f5b713bc9f100ac645689a6597a
SHA256 79958339e5bc02f83b8503ee985901e10697cb7d69b5257c24c90576f7311e93
SHA512 1c7f5ec4e7336a6cec7c765ed6c7ec903f9cef28bd961ea269b11ec9a53311f438f0f8a25cfec7ecc62049914b9cf7f50b95ef42d2bb8265583201d304952190

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1144-126-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1144-127-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1144-128-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1144-130-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1144-131-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1792-134-0x0000000000400000-0x0000000000B08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1144-135-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 0e06054beb13192588e745ee63a84173
SHA1 30b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256 c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512 251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

memory/1792-137-0x0000000000400000-0x0000000000B08000-memory.dmp

memory/1792-141-0x0000000000400000-0x0000000000B08000-memory.dmp

memory/1144-143-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1144-145-0x0000000000400000-0x0000000000460000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-03 12:30

Reported

2023-05-03 12:32

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"

Signatures

DarkCloud

stealer darkcloud

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\kjnoepc.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\vsbo\\wdnwqnp.msc" C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3684 set thread context of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 set thread context of 4368 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 1808 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 1808 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe C:\Windows\SysWOW64\wscript.exe
PID 3640 wrote to memory of 3684 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 3640 wrote to memory of 3684 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 3640 wrote to memory of 3684 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif
PID 3684 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 3684 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe

"C:\Users\Admin\AppData\Local\Temp\e252f48fe8a25ff6a0c9828d040da74813eef04ff1129323580f706fd5aeb395.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" Update-ru.u.vbe

C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

"C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif" wdnwqnp.msc

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 13.89.179.9:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

C:\Users\Admin\AppData\Local\temp\vsbo\Update-ru.u.vbe

MD5 fd341bcb4b6d49d85ce7a6f5cd41189c
SHA1 61bb21e3a95a482ee2bd56afa5988ce3d6d70305
SHA256 49682c4ff8ce861f43dfebae6bd90b6ad4d5767dd1c23d88b8ee7c8c700840fa
SHA512 27993836fd1d58e6e296736df124c49e3aa75fd1f8cb70074cfb0007b238ab842560aae1fc7e29cc06d37358811cf9f7005944517d46b79f8669373ef9c67b14

C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

MD5 b89e79a5a62c0264887be1c4ffae159d
SHA1 d682713d6dce62f880e3c47f0745f0869a928167
SHA256 1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512 dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

C:\Users\Admin\AppData\Local\Temp\vsbo\kjnoepc.pif

MD5 b89e79a5a62c0264887be1c4ffae159d
SHA1 d682713d6dce62f880e3c47f0745f0869a928167
SHA256 1f9a620903c2defc3ea97a961205123fe7b259105ce2d2ad1b60a79ca9177b99
SHA512 dae109a8d73128e879a90f38fe2471c70edcf9cc5f1a08a4e4144450afa0f61860536e58be280791677047b45fcc83326790b1efa81506cf499761d289eaf085

C:\Users\Admin\AppData\Local\Temp\vsbo\wdnwqnp.msc

MD5 ff9335ab2246b275af6f3d74ae9a990e
SHA1 214327ef48e858f8e980ee97b174225441770dbb
SHA256 c6cf8e1b8c95ad76f9bf1cd8d2e8aa59d08b5a6d968cae992415dc9d8a7167e5
SHA512 97ffb7effd04cf3108b7b84911b3bccbbe16f919322cc489695f9c63826472a1c891da82b85cb1ac041fad934a911566d587124627c5cc4c66d5d6d3e197dc15

C:\Users\Admin\AppData\Local\Temp\vsbo\oejuf.pdf

MD5 91e9ffe8f25752e6bf3b68772c1597c3
SHA1 3e4b2f8c1fa1f43b2446c31892a12c53c19d70b0
SHA256 e0bf95af30877dc005c3a4188b07acec9f8304c6077f94bb6601141945b94669
SHA512 8c15224737894a0f0b2a8f9a771d22b16ed8acbeba70d660e73fadf3905aa550ef574dc1cb1935f89d9ca47dfe3a81b63687591a5f62a6e81afad59d9651b09a

C:\Users\Admin\AppData\Local\Temp\vsbo\KMEDFD~1.PHQ

MD5 eaead7d8d4ba97c305489a6ddbd159b2
SHA1 0fba620f34155f5b713bc9f100ac645689a6597a
SHA256 79958339e5bc02f83b8503ee985901e10697cb7d69b5257c24c90576f7311e93
SHA512 1c7f5ec4e7336a6cec7c765ed6c7ec903f9cef28bd961ea269b11ec9a53311f438f0f8a25cfec7ecc62049914b9cf7f50b95ef42d2bb8265583201d304952190

memory/544-200-0x0000000000400000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/4368-203-0x0000000000400000-0x0000000000B08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/544-205-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4368-207-0x0000000000400000-0x0000000000B08000-memory.dmp

memory/544-212-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4368-213-0x0000000000400000-0x0000000000B08000-memory.dmp

memory/544-214-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4368-215-0x0000000000400000-0x0000000000B08000-memory.dmp