Malware Analysis Report

2025-01-18 12:21

Sample ID 221101-kkw7xaafgj
Target wynmove (1).js
SHA256 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
Tags
wshrat persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270

Threat Level: Known bad

The file wynmove (1).js was found to be: Known bad.

Malicious Activity Summary

wshrat persistence trojan

WSHRAT

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 08:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 08:40

Reported

2022-11-01 08:42

Platform

win7-20220812-en

Max time kernel

147s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"

Signatures

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 1/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1528 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 856 wrote to memory of 1528 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 856 wrote to memory of 1528 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove (1).js"

Network

Country Destination Domain Proto
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp

Files

memory/856-54-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

memory/1528-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wynmove (1).js

MD5 dc1bb14d9ae229088128fc7b820e0b37
SHA1 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
SHA256 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
SHA512 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js

MD5 dc1bb14d9ae229088128fc7b820e0b37
SHA1 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
SHA256 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
SHA512 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-01 08:40

Reported

2022-11-01 08:42

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

149s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"

Signatures

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wynmove (1) = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\wynmove (1).js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 3288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1352 wrote to memory of 3288 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\wynmove (1).js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\wynmove (1).js"

Network

Country Destination Domain Proto
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
US 20.189.173.12:443 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 45.139.105.174 tcp
NL 45.139.105.174:7670 tcp

Files

memory/3288-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\wynmove (1).js

MD5 dc1bb14d9ae229088128fc7b820e0b37
SHA1 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
SHA256 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
SHA512 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wynmove (1).js

MD5 dc1bb14d9ae229088128fc7b820e0b37
SHA1 6852c416ec186e6cdd3be3e4bc13a2ec94dc1b0b
SHA256 03b7620c65c87c6db1bc76f63d8e88799bcd920b90e91f6bbbe8e4a899080270
SHA512 5192f50e7b013d09742e4e515f910933b5e8aabd80313a689cd3b89e757da7a49cd6acf2e315d5ea68eb67f263ffe76a32bbce2458a9d031fa51a8d1febd171b