Malware Analysis Report

2025-01-18 12:19

Sample ID 241211-cp2n7avrfn
Target 1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js
SHA256 1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98
Tags
snakekeylogger wshrat collection discovery execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98

Threat Level: Known bad

The file 1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js was found to be: Known bad.

Malicious Activity Summary

snakekeylogger wshrat collection discovery execution keylogger persistence spyware stealer trojan

Snake Keylogger

Snakekeylogger family

Wshrat family

Snake Keylogger payload

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Reads user/profile data of local email clients

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 02:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 02:15

Reported

2024-12-11 02:18

Platform

win7-20240903-en

Max time kernel

149s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Snakekeylogger family

snakekeylogger

WSHRAT

trojan wshrat

Wshrat family

wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A checkip.dyndns.org N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 2892 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1448 wrote to memory of 2892 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 1448 wrote to memory of 2892 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 2676 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 2740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 2740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2892 wrote to memory of 2740 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2740 wrote to memory of 2072 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
PID 2740 wrote to memory of 2072 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
PID 2740 wrote to memory of 2072 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
PID 2740 wrote to memory of 2072 N/A C:\Windows\System32\WScript.exe C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
PID 2676 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2676 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2176 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2176 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2176 wrote to memory of 2952 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Users\Admin\AppData\Local\Temp\ZqrN.exe

"C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"

Network

Country Destination Domain Proto
US 192.3.220.6:80 192.3.220.6 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 188.114.96.2:443 reallyfreegeoip.org tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\OPXCFY.js

MD5 5cbd790c1378134731dc246a81c93407
SHA1 5830dbee39be0a297112f0c370ec0fe262e3481a
SHA256 20db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47
SHA512 b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8

C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js

MD5 98580a656c68b3f635dc03194073f889
SHA1 08fc5771841b25dbdbb1ba2e6c519add747e4413
SHA256 0b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae
SHA512 0bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 8ca638b30fea8a14b3de0e271a4fc225
SHA1 7c33f879a39b852f3e8b7d05ee3d240259696b5e
SHA256 58fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f
SHA512 548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f

C:\Users\Admin\AppData\Local\Temp\ZqrN.exe

MD5 ad1d0676362d866735f0d532f8e3d581
SHA1 a16badc35300527d38e9d3ff6af1c1e1265c5b39
SHA256 09251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c
SHA512 e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8

C:\Users\Admin\AppData\Local\Temp\GxO.vbs

MD5 2c38711037f77a66c571beca37212473
SHA1 dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8
SHA256 cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada
SHA512 7e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3

memory/2072-23-0x0000000000C60000-0x0000000000C86000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\json[1].json

MD5 c085beeb6f771b90fed94c1d940f97f6
SHA1 44a994d9175d6abaa9a3b5718e242fa659aed66a
SHA256 ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51
SHA512 9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-11 02:15

Reported

2024-12-11 02:18

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js

Signatures

Snake Keylogger

stealer keylogger snakekeylogger

Snake Keylogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Snakekeylogger family

snakekeylogger

WSHRAT

trojan wshrat

Wshrat family

wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A ip-api.com N/A N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\ZqrN.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"

C:\Users\Admin\AppData\Local\Temp\ZqrN.exe

"C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"

Network

Country Destination Domain Proto
US 192.3.220.6:80 192.3.220.6 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 6.220.3.192.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 188.114.96.2:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 169.8.226.132.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 67.82.246.46.in-addr.arpa udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp
SE 46.246.82.67:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\OPXCFY.js

MD5 5cbd790c1378134731dc246a81c93407
SHA1 5830dbee39be0a297112f0c370ec0fe262e3481a
SHA256 20db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47
SHA512 b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8

C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js

MD5 98580a656c68b3f635dc03194073f889
SHA1 08fc5771841b25dbdbb1ba2e6c519add747e4413
SHA256 0b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae
SHA512 0bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d

C:\Users\Admin\AppData\Local\Temp\adobe.js

MD5 8ca638b30fea8a14b3de0e271a4fc225
SHA1 7c33f879a39b852f3e8b7d05ee3d240259696b5e
SHA256 58fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f
SHA512 548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f

C:\Users\Admin\AppData\Local\Temp\ZqrN.exe

MD5 ad1d0676362d866735f0d532f8e3d581
SHA1 a16badc35300527d38e9d3ff6af1c1e1265c5b39
SHA256 09251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c
SHA512 e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8

C:\Users\Admin\AppData\Local\Temp\GxO.vbs

MD5 2c38711037f77a66c571beca37212473
SHA1 dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8
SHA256 cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada
SHA512 7e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3

memory/4808-28-0x0000000000700000-0x0000000000726000-memory.dmp

memory/4808-29-0x00000000056B0000-0x0000000005C54000-memory.dmp

memory/4808-30-0x00000000051A0000-0x000000000523C000-memory.dmp

memory/4808-38-0x00000000065B0000-0x0000000006600000-memory.dmp

memory/4808-39-0x00000000067D0000-0x0000000006992000-memory.dmp

memory/4808-40-0x00000000066A0000-0x0000000006732000-memory.dmp

memory/4808-41-0x0000000006620000-0x000000000662A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGDWJGSY\json[1].json

MD5 c085beeb6f771b90fed94c1d940f97f6
SHA1 44a994d9175d6abaa9a3b5718e242fa659aed66a
SHA256 ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51
SHA512 9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a