Malware Analysis Report

2024-10-19 09:24

Sample ID 230810-qn7qpseh6y
Target wis2war.vbs
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
Tags
warzonerat wshrat infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b

Threat Level: Known bad

The file wis2war.vbs was found to be: Known bad.

Malicious Activity Summary

warzonerat wshrat infostealer persistence rat spyware stealer trojan

WSHRAT

WarzoneRat, AveMaria

Warzone RAT payload

Blocklisted process makes network request

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 13:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 13:25

Reported

2023-08-10 13:28

Platform

win7-20230712-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wis2war.vbs"

Signatures

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\wis2war = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wis2war.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wis2war = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wis2war.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2204 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2204 wrote to memory of 2028 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2028 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2028 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2028 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 2028 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Tempwinlogon.exe
PID 3060 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 3060 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 3060 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 3060 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe C:\ProgramData\images.exe
PID 2976 wrote to memory of 2268 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2268 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2268 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2268 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2268 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2268 N/A C:\ProgramData\images.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wis2war.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:49746 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 142.251.39.100:80 www.google.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/2268-77-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2268-79-0x00000000000F0000-0x00000000000F1000-memory.dmp

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs

MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA1 dd7e2daa860b045e8b683407ab653c75df13256a
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512 534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6AGJ71Z\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

memory/2976-101-0x0000000002D30000-0x0000000002DB4000-memory.dmp

memory/2976-106-0x0000000002D30000-0x0000000002DB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 13:25

Reported

2023-08-10 13:28

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wis2war.vbs"

Signatures

WSHRAT

trojan wshrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wis2war = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wis2war.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wis2war = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wis2war.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wis2war.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aug.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 15.144.47.103.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
SG 103.47.144.15:49746 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 142.251.39.100:80 www.google.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 126.152.241.8.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
NL 5.206.225.104:80 tcp
SG 103.47.144.15:7045 chongmei33.publicvm.com tcp
SG 103.47.144.15:7045 tcp

Files

C:\Users\Admin\AppData\Local\Temp\aug.vbs

MD5 2725abf432ceeca35be3ac737c3f0847
SHA1 608ac3ed1248b3c35deec3ee55070d52b2c9d1a0
SHA256 6eaa55f7bd4117835ac0116d85b20fdcc35e1c461379dbac106d2c2c51d60516
SHA512 a014a6c2a10f9efe9ca85f4da5505fb2eb6071342b7f4dce0b48446d4462ba26fc1e44a1ba9833d6ab623d2d75c0643c488e46d1995fb20bfd0ed8d8f517b0e2

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

C:\ProgramData\images.exe

MD5 20390c8434f741d1abee9c8d48248bdb
SHA1 10577df5ed0ecba6a3da8552d112bd5e00e793d2
SHA256 ab87db3a4dc092240719fe8d9f0192b15dbeaa25ee21ef6607ef5e2cb6f775e3
SHA512 e1cd502740eb8bc267c7ca61c1781225f598b17948b0c6f99d8495efb27181a34075b7b5a89b775e1b9ac7cccfb5f2cc32fb61dbdf8cda9ac795349745bdd98b

memory/1652-152-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wis2war.vbs

MD5 72fab82acb233fa5b2d7aeb5cecf14bb
SHA1 dd7e2daa860b045e8b683407ab653c75df13256a
SHA256 35dd9286ed2d79a748a02cd32a9418e39a1b91d237f9ee67d2f305fc4b659f0b
SHA512 534c935688b227edaa3b77ba95b3de95ae1cf34a8614e906986c8448c54a64a5c4811d3d5ff79ea232160722173370e0dc3ae3b157ed12d789848034a6479ed4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7QVM26BR\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3

memory/2152-168-0x0000000004190000-0x0000000004214000-memory.dmp

memory/2152-176-0x0000000004190000-0x0000000004214000-memory.dmp