Malware Analysis Report

2025-04-14 08:28

Sample ID 211010-nz6xfafgf2
Target 3151f194fcfe3b210732d3f6bed59cbd.js
SHA256 878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa

Threat Level: Known bad

The file 3151f194fcfe3b210732d3f6bed59cbd.js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-10 11:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-10 11:51

Reported

2021-10-10 11:53

Platform

win7v20210408

Max time kernel

154s

Max time network

157s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\3151f194fcfe3b210732d3f6bed59cbd.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3151f194fcfe3b210732d3f6bed59cbd.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3151f194fcfe3b210732d3f6bed59cbd.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 612 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1996 wrote to memory of 612 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1996 wrote to memory of 612 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\3151f194fcfe3b210732d3f6bed59cbd.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\3151f194fcfe3b210732d3f6bed59cbd.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gar373.ddns.net udp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp

Files

memory/612-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\3151f194fcfe3b210732d3f6bed59cbd.js

MD5 3151f194fcfe3b210732d3f6bed59cbd
SHA1 84d181e892c2c51d29c70daa7f785aa4b9a256bd
SHA256 878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa
SHA512 0264ab652876cf84616e713e9e7709679e16a43a9d4d8b2624dc0dfe417eb21925a12f07ef2beff8e712570dc9e5a3777aaf221267abe8e977dde7eb64ac7024

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3151f194fcfe3b210732d3f6bed59cbd.js

MD5 3151f194fcfe3b210732d3f6bed59cbd
SHA1 84d181e892c2c51d29c70daa7f785aa4b9a256bd
SHA256 878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa
SHA512 0264ab652876cf84616e713e9e7709679e16a43a9d4d8b2624dc0dfe417eb21925a12f07ef2beff8e712570dc9e5a3777aaf221267abe8e977dde7eb64ac7024

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-10 11:51

Reported

2021-10-10 11:53

Platform

win10-en-20210920

Max time kernel

148s

Max time network

146s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\3151f194fcfe3b210732d3f6bed59cbd.js

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3151f194fcfe3b210732d3f6bed59cbd.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3151f194fcfe3b210732d3f6bed59cbd.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\3151f194fcfe3b210732d3f6bed59cbd = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\3151f194fcfe3b210732d3f6bed59cbd.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/10/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 1412 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3704 wrote to memory of 1412 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\3151f194fcfe3b210732d3f6bed59cbd.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\3151f194fcfe3b210732d3f6bed59cbd.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gar373.ddns.net udp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
US 8.8.8.8:53 sv.symcb.com udp
US 93.184.220.29:80 sv.symcb.com tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
US 8.8.8.8:53 s.symcb.com udp
US 72.21.91.29:80 s.symcb.com tcp
US 8.8.8.8:53 ts-crl.ws.symantec.com udp
US 72.21.91.29:80 ts-crl.ws.symantec.com tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
US 8.8.8.8:53 time.windows.com udp
CH 79.134.225.91:3030 gar373.ddns.net tcp
NL 20.101.57.9:123 time.windows.com udp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp
CH 79.134.225.91:3030 gar373.ddns.net tcp

Files

memory/1412-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\3151f194fcfe3b210732d3f6bed59cbd.js

MD5 3151f194fcfe3b210732d3f6bed59cbd
SHA1 84d181e892c2c51d29c70daa7f785aa4b9a256bd
SHA256 878057fe16a4f4bcdf4e3cf5e28c5e5686da8f24ebb03ced117b34a3f76571aa
SHA512 0264ab652876cf84616e713e9e7709679e16a43a9d4d8b2624dc0dfe417eb21925a12f07ef2beff8e712570dc9e5a3777aaf221267abe8e977dde7eb64ac7024

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3151f194fcfe3b210732d3f6bed59cbd.js

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e