Analysis Overview
SHA256
a1799891e1d46497c6aff689f8aacda09ef5e825dd700d6fce2aa3e4ddf638b6
Threat Level: Known bad
The file a1799891e1d46497c6aff689f8aacda09ef5e825dd700d6fce2aa3e4ddf638b6.js was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Wshrat family
AsyncRat
WSHRAT
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Scheduled Task/Job: Scheduled Task
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 02:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 02:51
Reported
2024-11-27 02:54
Platform
win7-20240708-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2732 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe |
| PID 944 set thread context of 1504 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|182C46BF|NNYJZAHP|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a1799891e1d46497c6aff689f8aacda09ef5e825dd700d6fce2aa3e4ddf638b6.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A9.tmp"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp145B.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80E3.tmp"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.84.65:7044 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 98d77a83c389bb812e0838c391b73258 |
| SHA1 | f543f656670ab8abfc78b06d8331b4c4a70c3df2 |
| SHA256 | 177fa36898fbdb539116997091efff95984ccbd64a8a2b022f0557424a6fd915 |
| SHA512 | 5f0bdc882df3a6eb86645d765b5c7d320c62ac278e8bee43e11742236dc60d1209ee7be50e7540ac94f710ab46280f5e5b46f8913d30a23c25b1403de4842ea8 |
C:\Users\Admin\AppData\Local\Temp\svchost.js
| MD5 | 198a3620008e85b96e716688e6c9f8bb |
| SHA1 | e61d0552a7aa2b4815e21fd955e335679af56d5e |
| SHA256 | a28853b5fb6657f6491856b90e64381c197a3f7aa40a0a09199a5e9d61502bd3 |
| SHA512 | fa3d09906173ea98277266366daf5b47c9d44387b83fda3a1ec5a1ef6dda08b20f2b6344b6138421a0b98f16e44e0b147280ef490d9902ddfdca1268590cfbbc |
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
| MD5 | 3a581f3b380d9e4f8ad2eb3962398b90 |
| SHA1 | c1842a583d793972040d03a4901b0b63f0e97d65 |
| SHA256 | 7ac3a47cb8196aae573d5855ce43ac0498f18281e4b9ff626f53eaf220c1fdc5 |
| SHA512 | 7b03db127ccb8d1f98f465a52a82187cdb12ce17b651353db25a29d59e37cc1119aa9454d05a04853e5d0ffbbdba45833a10ea6e08e10b13878f7f5b7acb3a2e |
memory/2732-20-0x00000000002D0000-0x000000000036C000-memory.dmp
memory/2732-21-0x0000000000710000-0x000000000072C000-memory.dmp
memory/2732-23-0x00000000046C0000-0x0000000004716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3A9.tmp
| MD5 | deb5f064893d024cd779a343feffb0cb |
| SHA1 | 18ca245ba54563860bc1e9cd2e20ba22d3fe41ad |
| SHA256 | 56af708495652f4932f20dfd3e88176a7d4e0acf12959cf7882f2a87b852849b |
| SHA512 | bb308b9f925779815729591ae8b763cedb11c99595a5a9760b0201661c45b535a637cc4bf56ac61b4aef1c6da1a835b11e66ccc9f4fc97afb0005c90b68bba29 |
memory/1632-38-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-51-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-49-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-47-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1632-44-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-42-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-40-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp145B.tmp.bat
| MD5 | 0ba7ea9ce70b7286b67ae5baf04744cf |
| SHA1 | 5d56830b925798515d97d5d2e4737962b3ae0d18 |
| SHA256 | 94dbf7a8d844d2a3708db224170eca62a86e6d9bba25e92333000a3dcb5702c5 |
| SHA512 | 702e116d1a79c28d2dfdbbd78ad3e0f9cdce3027c538b08dcd09655efc9d348a59b62fea1ae586fed12ecbed270e00dc5b23305a893afe67dceea03ecc4cd952 |
memory/944-65-0x00000000012C0000-0x000000000135C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e77f2d8679b80295a5348920f6f1fe47 |
| SHA1 | 25b4868f7cdb0eb02b47b0546a1c0ab6176a79cb |
| SHA256 | f730820598ebf9b82122f665fa5f56bd4d54f1f9c34e39485e05bf9350fc0806 |
| SHA512 | 7db08f625afdbb070e82514a581067e520091f7e410f10c1b0a45b2514f3166bbb44679654148facf70f0fc476314297f6982f1d3bb75203db872d9cf7504cc2 |
memory/1504-85-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1504-84-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1504-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 02:51
Reported
2024-11-27 02:54
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AsyncRat
Asyncrat family
WSHRAT
Wshrat family
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\"" | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2556 set thread context of 4104 | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe |
| PID 2916 set thread context of 2188 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Users\Admin\AppData\Roaming\Windows Update.exe |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D80F4F5B|SPDEBJWH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 27/11/2024|JavaScript | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ucopa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a1799891e1d46497c6aff689f8aacda09ef5e825dd700d6fce2aa3e4ddf638b6.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\svchost.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF230.tmp"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
"C:\Users\Admin\AppData\Local\Temp\Ucopa.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1FF.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Update" /tr '"C:\Users\Admin\AppData\Roaming\Windows Update.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vDKSLmXZAli.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vDKSLmXZAli" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E65.tmp"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.84.246.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | jinvestments.duckdns.org | udp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| US | 192.169.69.26:7031 | jinvestments.duckdns.org | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:2703 | chongmei33.publicvm.com | tcp |
| SE | 46.246.84.65:7044 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 98d77a83c389bb812e0838c391b73258 |
| SHA1 | f543f656670ab8abfc78b06d8331b4c4a70c3df2 |
| SHA256 | 177fa36898fbdb539116997091efff95984ccbd64a8a2b022f0557424a6fd915 |
| SHA512 | 5f0bdc882df3a6eb86645d765b5c7d320c62ac278e8bee43e11742236dc60d1209ee7be50e7540ac94f710ab46280f5e5b46f8913d30a23c25b1403de4842ea8 |
C:\Users\Admin\AppData\Local\Temp\svchost.js
| MD5 | 198a3620008e85b96e716688e6c9f8bb |
| SHA1 | e61d0552a7aa2b4815e21fd955e335679af56d5e |
| SHA256 | a28853b5fb6657f6491856b90e64381c197a3f7aa40a0a09199a5e9d61502bd3 |
| SHA512 | fa3d09906173ea98277266366daf5b47c9d44387b83fda3a1ec5a1ef6dda08b20f2b6344b6138421a0b98f16e44e0b147280ef490d9902ddfdca1268590cfbbc |
C:\Users\Admin\AppData\Local\Temp\Ucopa.exe
| MD5 | 3a581f3b380d9e4f8ad2eb3962398b90 |
| SHA1 | c1842a583d793972040d03a4901b0b63f0e97d65 |
| SHA256 | 7ac3a47cb8196aae573d5855ce43ac0498f18281e4b9ff626f53eaf220c1fdc5 |
| SHA512 | 7b03db127ccb8d1f98f465a52a82187cdb12ce17b651353db25a29d59e37cc1119aa9454d05a04853e5d0ffbbdba45833a10ea6e08e10b13878f7f5b7acb3a2e |
memory/2556-25-0x0000000000160000-0x00000000001FC000-memory.dmp
memory/2556-26-0x00000000051B0000-0x0000000005754000-memory.dmp
memory/2556-27-0x0000000004C00000-0x0000000004C92000-memory.dmp
memory/2556-28-0x0000000004DA0000-0x0000000004DAA000-memory.dmp
memory/2556-29-0x0000000004EB0000-0x0000000004F4C000-memory.dmp
memory/2556-30-0x0000000005170000-0x000000000518C000-memory.dmp
memory/2556-33-0x0000000006560000-0x00000000065B6000-memory.dmp
memory/2676-40-0x0000000002200000-0x0000000002236000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF230.tmp
| MD5 | eb0c608857357dd32942d2ec4c9c0019 |
| SHA1 | ce335fc1c0f5fb8369874acec35b3f3aad360b3e |
| SHA256 | 690d8b29fd96fd32de0f85557c0eacb608bfdc99230e03f6e70979ad821ef4fd |
| SHA512 | 6bab821235216aa6a2551ae492a89551234a13f68e3158738d6da17d7264e18e8da25c5aa19b33ed43cd5cc98087282dc5a6e24d152beeea7ca9636ca477290b |
memory/2676-42-0x0000000004E50000-0x0000000005478000-memory.dmp
memory/4104-43-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2676-47-0x0000000004C20000-0x0000000004C42000-memory.dmp
memory/2676-49-0x0000000004D30000-0x0000000004D96000-memory.dmp
memory/2676-48-0x0000000004CC0000-0x0000000004D26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5j1o3nd.os2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2676-55-0x00000000054C0000-0x0000000005814000-memory.dmp
memory/2676-60-0x0000000005AD0000-0x0000000005AEE000-memory.dmp
memory/2676-61-0x0000000005B60000-0x0000000005BAC000-memory.dmp
memory/2676-62-0x00000000060A0000-0x00000000060D2000-memory.dmp
memory/2676-63-0x0000000071330000-0x000000007137C000-memory.dmp
memory/2676-73-0x0000000006060000-0x000000000607E000-memory.dmp
memory/2676-74-0x0000000006CA0000-0x0000000006D43000-memory.dmp
memory/2676-75-0x0000000007440000-0x0000000007ABA000-memory.dmp
memory/2676-76-0x0000000006DF0000-0x0000000006E0A000-memory.dmp
memory/2676-77-0x0000000006E60000-0x0000000006E6A000-memory.dmp
memory/2676-78-0x0000000007070000-0x0000000007106000-memory.dmp
memory/2676-79-0x0000000006FF0000-0x0000000007001000-memory.dmp
memory/2676-80-0x0000000007020000-0x000000000702E000-memory.dmp
memory/2676-81-0x0000000007030000-0x0000000007044000-memory.dmp
memory/2676-82-0x0000000007130000-0x000000000714A000-memory.dmp
memory/2676-83-0x0000000007110000-0x0000000007118000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ucopa.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
C:\Users\Admin\AppData\Local\Temp\tmp1FF.tmp.bat
| MD5 | daa1560735b9c43f485f119f155d926e |
| SHA1 | b03e64f0574773c72d73e8b0ffa67849f41be357 |
| SHA256 | 8a30629954a7c9f924445e4b7d7e08a7f860fc9fe49b429388d7632c647241d0 |
| SHA512 | 9ac844ffc8b409bfa222347ca92dcbf25b830a91ed2191b02d47d0aab9a0ee7e57db4a1b434e5d8a11aa48c91c85eeb69e413dbacdbe7b8644ad1200661e8e13 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1516-105-0x0000000005F70000-0x00000000062C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b028c7e102a4ed1c54fe3a64295dc193 |
| SHA1 | 93ddf36df40510368ba254b227b68ea4da92c528 |
| SHA256 | aba26b7699e4b9ffedaa01eb9487b647124864e049c0820315058a3a4ff252b0 |
| SHA512 | c20369cc0b9d53d2c0105a105b3ae0cffb9fde58b7ddfe5f5ac7f3e5abe79b433803443b27226873fec9f2c1fc3ade5d192a5d23be83737afa2fa31e8a5ce538 |
memory/1516-116-0x0000000006640000-0x000000000668C000-memory.dmp
memory/1516-117-0x00000000734E0000-0x000000007352C000-memory.dmp
memory/1516-127-0x0000000007880000-0x0000000007923000-memory.dmp
memory/1516-128-0x0000000007B20000-0x0000000007B31000-memory.dmp
memory/1516-129-0x0000000007B60000-0x0000000007B74000-memory.dmp