Malware Analysis Report

2025-04-14 08:28

Sample ID 211019-kfa4wafdg6
Target PO MFG ORDER W124494 - 2021-10-18 0009.js
SHA256 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be

Threat Level: Known bad

The file PO MFG ORDER W124494 - 2021-10-18 0009.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-19 08:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-19 08:32

Reported

2021-10-19 08:34

Platform

win7-en-20210920

Max time kernel

151s

Max time network

154s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DCE526E0|JZCKHXIN|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 19/10/2021|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gameserver-789.duia.ro udp
US 8.8.8.8:53 fax-joh.dyn-ip24.de udp
US 8.8.8.8:53 gameserver-789.duia.ro udp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp

Files

memory/1356-54-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

memory/648-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js

MD5 a1fdbd734df28b3f6fb27e2ce94cf4e3
SHA1 52c0d7adbc91254fbb991e14917917b607de3bf2
SHA256 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051
SHA512 ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e

memory/1468-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js

MD5 225bff43c2aa2095bbc11f358628e2a1
SHA1 81645b5fa0518200da4b145cb3428e702cb76244
SHA256 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
SHA512 af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1

memory/1072-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js

MD5 225bff43c2aa2095bbc11f358628e2a1
SHA1 81645b5fa0518200da4b145cb3428e702cb76244
SHA256 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
SHA512 af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1

C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js

MD5 a1fdbd734df28b3f6fb27e2ce94cf4e3
SHA1 52c0d7adbc91254fbb991e14917917b607de3bf2
SHA256 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051
SHA512 ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js

MD5 a1fdbd734df28b3f6fb27e2ce94cf4e3
SHA1 52c0d7adbc91254fbb991e14917917b607de3bf2
SHA256 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051
SHA512 ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e

Analysis: behavioral2

Detonation Overview

Submitted

2021-10-19 08:32

Reported

2021-10-19 08:34

Platform

win10-en-20211014

Max time kernel

150s

Max time network

150s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\PO MFG ORDER W124494 - 2021-10-18 0009 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PO MFG ORDER W124494 - 2021-10-18 0009.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\JDopwXUrEP.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|DA5D582B|JQKTJDNJ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 22/10/2021|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 3460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3504 wrote to memory of 3460 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3504 wrote to memory of 4056 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3504 wrote to memory of 4056 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4056 wrote to memory of 4524 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 4056 wrote to memory of 4524 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\PO MFG ORDER W124494 - 2021-10-18 0009.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fax-joh.dyn-ip24.de udp
US 8.8.8.8:53 gameserver-789.duia.ro udp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
US 23.105.131.203:6789 gameserver-789.duia.ro tcp
NL 31.210.20.224:20224 fax-joh.dyn-ip24.de tcp

Files

memory/3460-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js

MD5 a1fdbd734df28b3f6fb27e2ce94cf4e3
SHA1 52c0d7adbc91254fbb991e14917917b607de3bf2
SHA256 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051
SHA512 ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e

memory/4056-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\PO MFG ORDER W124494 - 2021-10-18 0009.js

MD5 225bff43c2aa2095bbc11f358628e2a1
SHA1 81645b5fa0518200da4b145cb3428e702cb76244
SHA256 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
SHA512 af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1

memory/4524-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO MFG ORDER W124494 - 2021-10-18 0009.js

MD5 225bff43c2aa2095bbc11f358628e2a1
SHA1 81645b5fa0518200da4b145cb3428e702cb76244
SHA256 1555172a8ed40bc21eb2136625a097d1d4c7c376a71ee89d657d070ec513c4be
SHA512 af5185929580578438032672b418148391b280180cd7b3e1c35435b485809519a67592d0fe99316f8b7253f9bb1536230036ae21c92c635316417278be4c5cd1

C:\Users\Admin\AppData\Roaming\JDopwXUrEP.js

MD5 a1fdbd734df28b3f6fb27e2ce94cf4e3
SHA1 52c0d7adbc91254fbb991e14917917b607de3bf2
SHA256 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051
SHA512 ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDopwXUrEP.js

MD5 a1fdbd734df28b3f6fb27e2ce94cf4e3
SHA1 52c0d7adbc91254fbb991e14917917b607de3bf2
SHA256 536643c55df3d89833f33ffb0af1b1171803684e245f8ee333187756c21e3051
SHA512 ee1ea52f8513f19ec4ec954416d320b52079803cdb2cbc04046aec45444758bac1ede4b1985e4394853d7d7610a2fe20bba0c21b3303bb4a9351299febd7b32e