Analysis Overview
SHA256
a1799891e1d46497c6aff689f8aacda09ef5e825dd700d6fce2aa3e4ddf638b6
Threat Level: Known bad
The file D24112509FA.js was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
AsyncRat
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: JavaScript
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Script User-Agent
Modifies registry class
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-26 08:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-26 08:01
Reported
2024-11-26 08:03
Platform
win7-20240729-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2712 set thread context of 2984 | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe |
| PID 2088 set thread context of 1484 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|90CEF4C3|XECUDNCD|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\D24112509FA.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC764.tmp"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD6A0.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp426D.tmp"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 98d77a83c389bb812e0838c391b73258 |
| SHA1 | f543f656670ab8abfc78b06d8331b4c4a70c3df2 |
| SHA256 | 177fa36898fbdb539116997091efff95984ccbd64a8a2b022f0557424a6fd915 |
| SHA512 | 5f0bdc882df3a6eb86645d765b5c7d320c62ac278e8bee43e11742236dc60d1209ee7be50e7540ac94f710ab46280f5e5b46f8913d30a23c25b1403de4842ea8 |
C:\Users\Admin\AppData\Local\Temp\svchost.js
| MD5 | 198a3620008e85b96e716688e6c9f8bb |
| SHA1 | e61d0552a7aa2b4815e21fd955e335679af56d5e |
| SHA256 | a28853b5fb6657f6491856b90e64381c197a3f7aa40a0a09199a5e9d61502bd3 |
| SHA512 | fa3d09906173ea98277266366daf5b47c9d44387b83fda3a1ec5a1ef6dda08b20f2b6344b6138421a0b98f16e44e0b147280ef490d9902ddfdca1268590cfbbc |
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
| MD5 | 3a581f3b380d9e4f8ad2eb3962398b90 |
| SHA1 | c1842a583d793972040d03a4901b0b63f0e97d65 |
| SHA256 | 7ac3a47cb8196aae573d5855ce43ac0498f18281e4b9ff626f53eaf220c1fdc5 |
| SHA512 | 7b03db127ccb8d1f98f465a52a82187cdb12ce17b651353db25a29d59e37cc1119aa9454d05a04853e5d0ffbbdba45833a10ea6e08e10b13878f7f5b7acb3a2e |
memory/2712-20-0x00000000009A0000-0x0000000000A3C000-memory.dmp
memory/2712-21-0x0000000000480000-0x000000000049C000-memory.dmp
memory/2712-24-0x00000000055F0000-0x0000000005646000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC764.tmp
| MD5 | 0eb1be611ac0823e0f91a9181595bc2b |
| SHA1 | 117950875130d7f6ddc48c727339627cf6e5b279 |
| SHA256 | c68878440e58d9a9ae6745d0a4dd730e692dea87aea2abf0901496db2d652ad2 |
| SHA512 | 7e2996918c694c4488610ed8f43c5434afe0de0784f6661a80477a75f1df9960be6897419aee3966efeb1fa57b4e00b02fde2d40a1f5e4bd6a45e783610ed8a6 |
memory/2984-35-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2984-44-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2984-48-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2984-46-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2984-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2984-41-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2984-39-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2984-37-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD6A0.tmp.bat
| MD5 | 0a171e14a5351d36c17ed610b86191ec |
| SHA1 | 4a6d662dbbe083ac2ef50380d23874c80240a2e6 |
| SHA256 | 8b01471e1710270bd16beba920ff03a198e2d1cf267ba649dd1fadc03fa11110 |
| SHA512 | a5876c6f03fa77c2a8f3cfca0d06cbe54e4e2b4f5fc191091aea8ab0780ad9b6f895eaf47bf893cee60a2fe4847a3803568bf0a9405513892429507e6b3f1c5d |
memory/2088-62-0x0000000000990000-0x0000000000A2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 877a1d9b323530fae5bf4c22ea8ea19f |
| SHA1 | 100c5ba0394a5998699790ff27858306bad7fb29 |
| SHA256 | f02fc89665a452012245632caaec0f68e97b9e96af91a2e21e6efe4cd3f6cca8 |
| SHA512 | 36dcecda8f397d887032a9329e83fbff8c742e9d4278925114af034cbd77f2918a4796b04b2030bb62112c57f5b8113db4b0deaa294942e3a2ee077d3bb548bd |
memory/1484-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1484-88-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1484-86-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5A91.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-26 08:01
Reported
2024-11-26 08:03
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4012 set thread context of 1548 | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe |
| PID 4708 set thread context of 3116 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D87ABD25|OFGADUSE|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 26/11/2024|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\D24112509FA.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp80A.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp755A.tmp"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.80.246.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.80.66:7044 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 98d77a83c389bb812e0838c391b73258 |
| SHA1 | f543f656670ab8abfc78b06d8331b4c4a70c3df2 |
| SHA256 | 177fa36898fbdb539116997091efff95984ccbd64a8a2b022f0557424a6fd915 |
| SHA512 | 5f0bdc882df3a6eb86645d765b5c7d320c62ac278e8bee43e11742236dc60d1209ee7be50e7540ac94f710ab46280f5e5b46f8913d30a23c25b1403de4842ea8 |
C:\Users\Admin\AppData\Local\Temp\svchost.js
| MD5 | 198a3620008e85b96e716688e6c9f8bb |
| SHA1 | e61d0552a7aa2b4815e21fd955e335679af56d5e |
| SHA256 | a28853b5fb6657f6491856b90e64381c197a3f7aa40a0a09199a5e9d61502bd3 |
| SHA512 | fa3d09906173ea98277266366daf5b47c9d44387b83fda3a1ec5a1ef6dda08b20f2b6344b6138421a0b98f16e44e0b147280ef490d9902ddfdca1268590cfbbc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js
| MD5 | 7032b4f21a6cca0412a4b9116b017113 |
| SHA1 | a6bf183f66cf2cce1d4ab0df7ad1c7396b632420 |
| SHA256 | 9ab4b64b8e0fcf1c9ab06a84e8d90291748010092343813e024398dfee70259e |
| SHA512 | 47e7eac22561fcf095fc69cee8093cd9723d58b9e60cc4d3efe4a2c67b117aa4e877241bc5f72a13126a18505eb309a53079eeb7d2bad67c03bc689adcc8eb4e |
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
| MD5 | 3a581f3b380d9e4f8ad2eb3962398b90 |
| SHA1 | c1842a583d793972040d03a4901b0b63f0e97d65 |
| SHA256 | 7ac3a47cb8196aae573d5855ce43ac0498f18281e4b9ff626f53eaf220c1fdc5 |
| SHA512 | 7b03db127ccb8d1f98f465a52a82187cdb12ce17b651353db25a29d59e37cc1119aa9454d05a04853e5d0ffbbdba45833a10ea6e08e10b13878f7f5b7acb3a2e |
memory/4012-25-0x0000000000C10000-0x0000000000CAC000-memory.dmp
memory/4012-26-0x0000000005CF0000-0x0000000006294000-memory.dmp
memory/4012-27-0x0000000005680000-0x0000000005712000-memory.dmp
memory/4012-28-0x0000000005750000-0x000000000575A000-memory.dmp
memory/4012-29-0x0000000005960000-0x00000000059FC000-memory.dmp
memory/4012-30-0x0000000005C70000-0x0000000005C8C000-memory.dmp
memory/4012-33-0x0000000006CA0000-0x0000000006CF6000-memory.dmp
memory/3200-40-0x00000000024D0000-0x0000000002506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF7CD.tmp
| MD5 | c97e107f48f25ff6e58b731ab62b9443 |
| SHA1 | ef3e645e8c87d685499476249a8a739c58b954b3 |
| SHA256 | 14452927e3f0ec21efe6eba7fabe485f5cf36a7bd0513ce440e9089aba4af772 |
| SHA512 | 903bc20d9e638a27306a123f5340742a1f4339b56fb2b8cdbdd40cba0ef3c645eae94af8b5d38919e951498e3d0f372c43fd02be9f1c5a8d5deb799f99defb29 |
memory/3200-44-0x0000000004FB0000-0x00000000055D8000-memory.dmp
memory/1548-42-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3200-46-0x0000000004E40000-0x0000000004E62000-memory.dmp
memory/3200-47-0x0000000004EE0000-0x0000000004F46000-memory.dmp
memory/3200-48-0x0000000005650000-0x00000000056B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwnkptko.kvl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3200-58-0x0000000005800000-0x0000000005B54000-memory.dmp
memory/3200-59-0x0000000005DE0000-0x0000000005DFE000-memory.dmp
memory/3200-60-0x0000000005E20000-0x0000000005E6C000-memory.dmp
memory/3200-61-0x0000000006FC0000-0x0000000006FF2000-memory.dmp
memory/3200-62-0x00000000703C0000-0x000000007040C000-memory.dmp
memory/3200-72-0x00000000063C0000-0x00000000063DE000-memory.dmp
memory/3200-73-0x0000000007000000-0x00000000070A3000-memory.dmp
memory/3200-74-0x0000000007750000-0x0000000007DCA000-memory.dmp
memory/3200-75-0x0000000007110000-0x000000000712A000-memory.dmp
memory/3200-76-0x0000000007180000-0x000000000718A000-memory.dmp
memory/3200-77-0x0000000007390000-0x0000000007426000-memory.dmp
memory/3200-78-0x0000000007310000-0x0000000007321000-memory.dmp
memory/3200-79-0x0000000007340000-0x000000000734E000-memory.dmp
memory/3200-80-0x0000000007350000-0x0000000007364000-memory.dmp
memory/3200-81-0x0000000007450000-0x000000000746A000-memory.dmp
memory/3200-82-0x0000000007430000-0x0000000007438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ucopa.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Users\Admin\AppData\Local\Temp\tmp80A.tmp.bat
| MD5 | 68250c027dd798d64044ef9fca64dbd0 |
| SHA1 | 704bffc6c04f1d5446c97083472e81d6932fe76d |
| SHA256 | 19542b4cbcebe732eea71d06c58fd424bcee7e8b36fb73b67f9b288c5e77ab11 |
| SHA512 | ed8690db4fb75ef594216671794fce04205a6b68c7b4408a7a29af9116dabef50687a96edcb43ddca9085c05a02f3a482d8b9cacfc05ca21bf5ac6d1a5e0c7a1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/3664-114-0x00000000060C0000-0x0000000006414000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d761b39f8206bcefbc8137d1ba306eeb |
| SHA1 | 96d5d8abcce8ddb60294e6b67585e688014fcbeb |
| SHA256 | b41703337917316324e80da5f3975fe90b4d9d87c7bae457059afeb38069734e |
| SHA512 | bbe9ee75fb5c02f464ada4a16a989dfe1dc002e4b5c980e152bf026ff8a28d3df022992da622a7b1a39801ff67e8e918e1767fbfb4f629eef231900f8212ef71 |
memory/3664-116-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/3664-117-0x0000000074DA0000-0x0000000074DEC000-memory.dmp
memory/3664-127-0x00000000077E0000-0x0000000007883000-memory.dmp
memory/3664-128-0x0000000007AB0000-0x0000000007AC1000-memory.dmp
memory/3664-129-0x0000000007B00000-0x0000000007B14000-memory.dmp