Analysis Overview
SHA256
03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
Threat Level: Known bad
The file wynmove (1).js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 08:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 08:40
Reported
2022-11-01 08:42
Platform
win7-20220812-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 856 wrote to memory of 1528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 856 wrote to memory of 1528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 856 wrote to memory of 1528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove (1).js"
Network
| Country | Destination | Domain | Proto |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
Files
memory/856-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp
memory/1528-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wynmove (1).js
| MD5 | dc1bb14d9ae229088128fc7b820e0b37 |
| SHA1 | 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b |
| SHA256 | 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270 |
| SHA512 | 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js
| MD5 | dc1bb14d9ae229088128fc7b820e0b37 |
| SHA1 | 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b |
| SHA256 | 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270 |
| SHA512 | 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-01 08:40
Reported
2022-11-01 08:42
Platform
win10v2004-20220901-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 3288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1352 wrote to memory of 3288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove (1).js"
Network
| Country | Destination | Domain | Proto |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| US | 20.189.173.12:443 | tcp | |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | 45.139.105.174 | tcp |
| NL | 45.139.105.174:7670 | tcp |
Files
memory/3288-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\wynmove (1).js
| MD5 | dc1bb14d9ae229088128fc7b820e0b37 |
| SHA1 | 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b |
| SHA256 | 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270 |
| SHA512 | 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js
| MD5 | dc1bb14d9ae229088128fc7b820e0b37 |
| SHA1 | 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b |
| SHA256 | 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270 |
| SHA512 | 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b |