Analysis Overview
SHA256
3f46a97262f63e425b761c1df6f1ca615565f376e737a254e659a38fcc2fdf04
Threat Level: Known bad
The file 26112024_0200_D24112509FA.js.rar was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Wshrat family
WSHRAT
Asyncrat family
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Drops startup file
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: JavaScript
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-26 02:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 02:00
Reported
2024-11-26 02:05
Platform
win7-20241010-en
Max time kernel
297s
Max time network
304s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2836 set thread context of 592 | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe |
| PID 936 set thread context of 616 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|28AB9D10|BCXRJFKE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\D24112509FA.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF02.tmp"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE669.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp558F.tmp"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost.js
| MD5 | 198a3620008e85b96e716688e6c9f8bb |
| SHA1 | e61d0552a7aa2b4815e21fd955e335679af56d5e |
| SHA256 | a28853b5fb6657f6491856b90e64381c197a3f7aa40a0a09199a5e9d61502bd3 |
| SHA512 | fa3d09906173ea98277266366daf5b47c9d44387b83fda3a1ec5a1ef6dda08b20f2b6344b6138421a0b98f16e44e0b147280ef490d9902ddfdca1268590cfbbc |
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 98d77a83c389bb812e0838c391b73258 |
| SHA1 | f543f656670ab8abfc78b06d8331b4c4a70c3df2 |
| SHA256 | 177fa36898fbdb539116997091efff95984ccbd64a8a2b022f0557424a6fd915 |
| SHA512 | 5f0bdc882df3a6eb86645d765b5c7d320c62ac278e8bee43e11742236dc60d1209ee7be50e7540ac94f710ab46280f5e5b46f8913d30a23c25b1403de4842ea8 |
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
| MD5 | 3a581f3b380d9e4f8ad2eb3962398b90 |
| SHA1 | c1842a583d793972040d03a4901b0b63f0e97d65 |
| SHA256 | 7ac3a47cb8196aae573d5855ce43ac0498f18281e4b9ff626f53eaf220c1fdc5 |
| SHA512 | 7b03db127ccb8d1f98f465a52a82187cdb12ce17b651353db25a29d59e37cc1119aa9454d05a04853e5d0ffbbdba45833a10ea6e08e10b13878f7f5b7acb3a2e |
memory/2836-20-0x0000000000C00000-0x0000000000C9C000-memory.dmp
memory/2836-21-0x0000000000890000-0x00000000008AC000-memory.dmp
memory/2836-24-0x0000000004B90000-0x0000000004BE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCF02.tmp
| MD5 | 1203e26ab2c04e33b762daa88dcbdf07 |
| SHA1 | e158bf86e999f805d0aea51f1173af0acfbaa7ad |
| SHA256 | 81a0e5b12d740c02782321e748253da506f9e240539d56a651806fe74e5189dd |
| SHA512 | b49dbb75aa8e6a6eb3ae5e49b6f78a0cbdf558a4f3ef535c03fdfd9208a3d4deb37df8c9c6fb12ccb8fadd5a323ee7b060755858407f642dd7b31b42da3ac46b |
memory/592-37-0x0000000000400000-0x0000000000412000-memory.dmp
memory/592-39-0x0000000000400000-0x0000000000412000-memory.dmp
memory/592-46-0x0000000000400000-0x0000000000412000-memory.dmp
memory/592-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/592-43-0x0000000000400000-0x0000000000412000-memory.dmp
memory/592-41-0x0000000000400000-0x0000000000412000-memory.dmp
memory/592-48-0x0000000000400000-0x0000000000412000-memory.dmp
memory/592-49-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE669.tmp.bat
| MD5 | ba67a71ee38538caff7b6922650ca40d |
| SHA1 | 43a6a7f127dd93ebfcbd768aad6f4484c73f64bb |
| SHA256 | bfd376001aa9b79f31aa8199ed9a83d5a7b32c5d4744b8be8aef46de227f955b |
| SHA512 | c1f742ef22f1fb2e46e0d857aa31d43e2679d0754ebefd871167466659bd9de5ae2a927b57a17939d695b0b081bb9bcc6c0c948974f4733b346c7c7c3cf3ef45 |
memory/936-64-0x00000000001A0000-0x000000000023C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e1cc47efa3a1b15e61cc7937f0d54aed |
| SHA1 | b9dee62897ef5e5a974343853c43226ee80015f7 |
| SHA256 | d36c8d105d8b1df496f42317b98309e5a8ddcfba5e46792066d3b251a44e913a |
| SHA512 | e8f6f50cedc10f77d1fcd10d73ccd89fbd20219f6265e467aa6bca7bd769e10085e527e7698d1123cf5c04ce5c8af089a89f279d51d6cec524b9265438dd29f5 |
memory/616-89-0x0000000000400000-0x0000000000412000-memory.dmp
memory/616-87-0x0000000000400000-0x0000000000412000-memory.dmp
memory/616-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 02:00
Reported
2024-11-26 02:05
Platform
win10v2004-20241007-en
Max time kernel
298s
Max time network
300s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1968 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe |
| PID 620 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\D24112509FA.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1364.tmp"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp90D1.tmp"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.14.246.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.14.67:7044 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 98d77a83c389bb812e0838c391b73258 |
| SHA1 | f543f656670ab8abfc78b06d8331b4c4a70c3df2 |
| SHA256 | 177fa36898fbdb539116997091efff95984ccbd64a8a2b022f0557424a6fd915 |
| SHA512 | 5f0bdc882df3a6eb86645d765b5c7d320c62ac278e8bee43e11742236dc60d1209ee7be50e7540ac94f710ab46280f5e5b46f8913d30a23c25b1403de4842ea8 |
C:\Users\Admin\AppData\Local\Temp\svchost.js
| MD5 | 198a3620008e85b96e716688e6c9f8bb |
| SHA1 | e61d0552a7aa2b4815e21fd955e335679af56d5e |
| SHA256 | a28853b5fb6657f6491856b90e64381c197a3f7aa40a0a09199a5e9d61502bd3 |
| SHA512 | fa3d09906173ea98277266366daf5b47c9d44387b83fda3a1ec5a1ef6dda08b20f2b6344b6138421a0b98f16e44e0b147280ef490d9902ddfdca1268590cfbbc |
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
| MD5 | 3a581f3b380d9e4f8ad2eb3962398b90 |
| SHA1 | c1842a583d793972040d03a4901b0b63f0e97d65 |
| SHA256 | 7ac3a47cb8196aae573d5855ce43ac0498f18281e4b9ff626f53eaf220c1fdc5 |
| SHA512 | 7b03db127ccb8d1f98f465a52a82187cdb12ce17b651353db25a29d59e37cc1119aa9454d05a04853e5d0ffbbdba45833a10ea6e08e10b13878f7f5b7acb3a2e |
memory/1968-25-0x0000000000620000-0x00000000006BC000-memory.dmp
memory/1968-26-0x0000000005580000-0x0000000005B24000-memory.dmp
memory/1968-27-0x00000000050B0000-0x0000000005142000-memory.dmp
memory/1968-28-0x0000000005250000-0x000000000525A000-memory.dmp
memory/1968-29-0x0000000005320000-0x00000000053BC000-memory.dmp
memory/1968-30-0x0000000005400000-0x000000000541C000-memory.dmp
memory/1968-33-0x00000000066E0000-0x0000000006736000-memory.dmp
memory/2876-40-0x0000000002DC0000-0x0000000002DF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1364.tmp
| MD5 | c97e107f48f25ff6e58b731ab62b9443 |
| SHA1 | ef3e645e8c87d685499476249a8a739c58b954b3 |
| SHA256 | 14452927e3f0ec21efe6eba7fabe485f5cf36a7bd0513ce440e9089aba4af772 |
| SHA512 | 903bc20d9e638a27306a123f5340742a1f4339b56fb2b8cdbdd40cba0ef3c645eae94af8b5d38919e951498e3d0f372c43fd02be9f1c5a8d5deb799f99defb29 |
memory/2876-42-0x0000000005790000-0x0000000005DB8000-memory.dmp
memory/2940-47-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2876-51-0x00000000056B0000-0x0000000005716000-memory.dmp
memory/2876-52-0x0000000005DC0000-0x0000000005E26000-memory.dmp
memory/2876-50-0x0000000005610000-0x0000000005632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rzmwj5tt.jdh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2876-61-0x00000000060B0000-0x0000000006404000-memory.dmp
memory/2876-63-0x00000000066F0000-0x000000000670E000-memory.dmp
memory/2876-64-0x0000000006780000-0x00000000067CC000-memory.dmp
memory/2876-65-0x00000000076A0000-0x00000000076D2000-memory.dmp
memory/2876-66-0x00000000713F0000-0x000000007143C000-memory.dmp
memory/2876-76-0x0000000006C90000-0x0000000006CAE000-memory.dmp
memory/2876-77-0x00000000078E0000-0x0000000007983000-memory.dmp
memory/2876-78-0x0000000008060000-0x00000000086DA000-memory.dmp
memory/2876-79-0x0000000007A10000-0x0000000007A2A000-memory.dmp
memory/2876-80-0x0000000007A90000-0x0000000007A9A000-memory.dmp
memory/2876-82-0x0000000007C90000-0x0000000007D26000-memory.dmp
memory/2876-83-0x0000000007C10000-0x0000000007C21000-memory.dmp
memory/2876-84-0x0000000007C40000-0x0000000007C4E000-memory.dmp
memory/2876-85-0x0000000007C50000-0x0000000007C64000-memory.dmp
memory/2876-86-0x0000000007D50000-0x0000000007D6A000-memory.dmp
memory/2876-87-0x0000000007D30000-0x0000000007D38000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ucopa.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Users\Admin\AppData\Local\Temp\tmp249A.tmp.bat
| MD5 | ccbac148320449e5b7f2d3c5a95ceaba |
| SHA1 | eadd318e7564770145e8a1f9c7cace175a6566e2 |
| SHA256 | 81649a3c0a939d48e407aa8010a3848ee932263c627af3f5009d7bf566b118ad |
| SHA512 | 0cd4f7b3448b1476691455b7c1ded3449ae92da6067a1b373f77eddb7e1a65404bf12e0a79a6eab11156da05a14a2769ac67f663f8c7efc1db90c79800627fd0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b33fcc472b6b5f0a74be9ea18de4bf7d |
| SHA1 | de49ad1f848998484a347e5d5695752f1189ff4a |
| SHA256 | a5027aac97d4276d92c9f82b6630da0e155145b7fa059be43a65f86d177d1154 |
| SHA512 | 31757728f1e9fbc9c5b79f61b3a8646378dfa38d18f816ba85a3fe4e42389ee60b90528024bc76a55e636a415b4d3062c4ed53abe5a153e50a94ef6edc30c3c8 |
memory/4104-119-0x00000000061B0000-0x00000000061FC000-memory.dmp
memory/4104-120-0x0000000071A50000-0x0000000071A9C000-memory.dmp
memory/4104-130-0x00000000071C0000-0x00000000071D1000-memory.dmp
memory/4104-131-0x0000000007200000-0x0000000007214000-memory.dmp