Analysis Overview
SHA256
1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98
Threat Level: Known bad
The file 1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js was found to be: Known bad.
Malicious Activity Summary
Wshrat family
Snakekeylogger family
WSHRAT
Snake Keylogger payload
Snake Keylogger
Blocklisted process makes network request
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Reads user/profile data of local email clients
Drops startup file
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-11 02:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-11 02:19
Reported
2024-12-11 02:21
Platform
win7-20240903-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
WSHRAT
Wshrat family
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"
C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
"C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.220.6:80 | 192.3.220.6 | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 188.114.96.2:443 | reallyfreegeoip.org | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\OPXCFY.js
| MD5 | 5cbd790c1378134731dc246a81c93407 |
| SHA1 | 5830dbee39be0a297112f0c370ec0fe262e3481a |
| SHA256 | 20db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47 |
| SHA512 | b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8 |
C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js
| MD5 | 98580a656c68b3f635dc03194073f889 |
| SHA1 | 08fc5771841b25dbdbb1ba2e6c519add747e4413 |
| SHA256 | 0b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae |
| SHA512 | 0bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d |
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 8ca638b30fea8a14b3de0e271a4fc225 |
| SHA1 | 7c33f879a39b852f3e8b7d05ee3d240259696b5e |
| SHA256 | 58fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f |
| SHA512 | 548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f |
C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
| MD5 | ad1d0676362d866735f0d532f8e3d581 |
| SHA1 | a16badc35300527d38e9d3ff6af1c1e1265c5b39 |
| SHA256 | 09251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c |
| SHA512 | e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8 |
C:\Users\Admin\AppData\Local\Temp\GxO.vbs
| MD5 | 2c38711037f77a66c571beca37212473 |
| SHA1 | dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8 |
| SHA256 | cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada |
| SHA512 | 7e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3 |
memory/316-23-0x0000000000240000-0x0000000000266000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\json[1].json
| MD5 | c085beeb6f771b90fed94c1d940f97f6 |
| SHA1 | 44a994d9175d6abaa9a3b5718e242fa659aed66a |
| SHA256 | ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51 |
| SHA512 | 9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-11 02:19
Reported
2024-12-11 02:21
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Snake Keylogger
Snake Keylogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Snakekeylogger family
WSHRAT
Wshrat family
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GxO.vbs | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GxO = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\GxO.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\ZqrN.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\1f0ef4fc5add951652abf5703c97934a6072ba87ba209f0ba1407ed466f6bb98.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\OPXCFY.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GxO.vbs"
C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
"C:\Users\Admin\AppData\Local\Temp\ZqrN.exe"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GxO.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.220.6:80 | 192.3.220.6 | tcp |
| US | 8.8.8.8:53 | 6.220.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 188.114.97.2:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.82.246.46.in-addr.arpa | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
| SE | 46.246.82.67:7045 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\OPXCFY.js
| MD5 | 5cbd790c1378134731dc246a81c93407 |
| SHA1 | 5830dbee39be0a297112f0c370ec0fe262e3481a |
| SHA256 | 20db27c44f4d385c66f6753ce3afc9d9c7a89802f817f896c341c66636c2cd47 |
| SHA512 | b18cb8f6c4464d288ffcb601cdc4fb8b8a5da0c5702cc1ba27deafeb43dc7b7d998a0e9773fb93564fe93d6c55a24e4c66d96464a32c717e4e5d1bcf738349c8 |
C:\Users\Admin\AppData\Local\Temp\WindowsAudio.js
| MD5 | 98580a656c68b3f635dc03194073f889 |
| SHA1 | 08fc5771841b25dbdbb1ba2e6c519add747e4413 |
| SHA256 | 0b2d1630032ee6b65cc35650f78a34487b8d784c6fb882340e44051f2b3b50ae |
| SHA512 | 0bc77b7e00030dd3adb8ae4769eeeff067b25595f0450de0827b2fcf8330713331f3922956aa5f8c3ef3ced7365db45a15ba3e8b625af13f40085cc1f090e89d |
C:\Users\Admin\AppData\Local\Temp\adobe.js
| MD5 | 8ca638b30fea8a14b3de0e271a4fc225 |
| SHA1 | 7c33f879a39b852f3e8b7d05ee3d240259696b5e |
| SHA256 | 58fd32619eed98484f0f071c1d18a81490ffccaf5be21836cbdbf5083e68662f |
| SHA512 | 548e6f7f62056217a2124524d08af30dab8f77368d44d175bf20c66d5babcacf97dfcf3d44cc3b60255d29d3d76ccc20413db9238f466265cda2347bde1a237f |
C:\Users\Admin\AppData\Local\Temp\ZqrN.exe
| MD5 | ad1d0676362d866735f0d532f8e3d581 |
| SHA1 | a16badc35300527d38e9d3ff6af1c1e1265c5b39 |
| SHA256 | 09251632adbf8aae4c9246ddc36375f66d41f0030c6adcc664dcf2773053735c |
| SHA512 | e8685ed84b76ab0d0698b0dadc8af4d7a6481ab08656e22885c68a2172983e33feb462e21336911bab3600373381baca594cba48be5e07b7712e3e9b6e99d8c8 |
C:\Users\Admin\AppData\Local\Temp\GxO.vbs
| MD5 | 2c38711037f77a66c571beca37212473 |
| SHA1 | dfcc23612a0b01f3be4e9dfe1158c0d878fafcf8 |
| SHA256 | cdb87f940c4a74c8c4f6e49881418b852cab544dd0c62f6201cb7e0f6825aada |
| SHA512 | 7e7b985e1d51b6cba3bf0e656d5dc1b358727d3c50334e5c4d0aac6f0a84b8ec29c4896a6a0d805d3eb8549600e636adb08491aa309f55ef61cc5e2dbbbcfda3 |
memory/220-28-0x0000000000340000-0x0000000000366000-memory.dmp
memory/220-29-0x0000000005200000-0x00000000057A4000-memory.dmp
memory/220-30-0x0000000004D50000-0x0000000004DEC000-memory.dmp
memory/220-40-0x00000000061C0000-0x0000000006210000-memory.dmp
memory/220-41-0x00000000063E0000-0x00000000065A2000-memory.dmp
memory/220-42-0x00000000062B0000-0x0000000006342000-memory.dmp
memory/220-43-0x0000000006260000-0x000000000626A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\json[1].json
| MD5 | c085beeb6f771b90fed94c1d940f97f6 |
| SHA1 | 44a994d9175d6abaa9a3b5718e242fa659aed66a |
| SHA256 | ff5681f440a7a4b019a4a59f43ad414393321d1eb6dc3874cea0a84e73a83c51 |
| SHA512 | 9d000581b287cd3d5464c33c260008090369a4f5f380b7cfa72eb0fc3221ce0e07df0387f6d3d6b38253c215250ac873dec0f52c501e3d6312f0a5437723a76a |