vjw0rm | 2f2b1b66553a447bb3384f5d22407a00bedefc43f5d4fb63b8b4970ed6c1702f

Analysis

max time kernel
91s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2023, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231125-21-WshRat-364d4a.js
Size

3.8MB
MD5

7d1e985be05e1038b33ae1c4e980a663
SHA1

364d4a8f587b94716daaec3ce4ed80d00b356c0c
SHA256

2f2b1b66553a447bb3384f5d22407a00bedefc43f5d4fb63b8b4970ed6c1702f
SHA512

754ee17cdbcd34b2201dc47a92f86f9e7f8cd8aa82969c6a3970d02b8bec33ae19edc9627a011d1554d2935a4a830c5fd769c7f281e95707473e4c55a151c845
SSDEEP

24576:1ZGBVFPB36kJuadeEKwN8o5red0epniTcZkgbMegyMDoIWqkaln8wDs/Pm+x7Dt5:F

Score

10^/10

vjw0rm persistence trojan worm

Malware Config

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 12 IoCs

flow	pid	Process
19	4400	wscript.exe
21	4984	wscript.exe
22	4456	wscript.exe
33	4984	wscript.exe
41	4400	wscript.exe
43	4456	wscript.exe
63	4984	wscript.exe
64	4400	wscript.exe
67	4456	wscript.exe
101	4984	wscript.exe
105	4400	wscript.exe
106	4456	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231125-21-WshRat-364d4a.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smLqjlUDtu.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231125-21-WshRat-364d4a.js	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smLqjlUDtu.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smLqjlUDtu.js	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\231125-21-WshRat-364d4a = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\231125-21-WshRat-364d4a.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\231125-21-WshRat-364d4a = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\231125-21-WshRat-364d4a.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\231125-21-WshRat-364d4a = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\231125-21-WshRat-364d4a.js\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\231125-21-WshRat-364d4a = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\231125-21-WshRat-364d4a.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133453475731690237"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
884	chrome.exe
884	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe
Token: SeShutdownPrivilege	884	chrome.exe
Token: SeCreatePagefilePrivilege	884	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe
884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4400	1668	wscript.exe	87
PID 1668 wrote to memory of 4400	1668	wscript.exe	87
PID 1668 wrote to memory of 4984	1668	wscript.exe	88
PID 1668 wrote to memory of 4984	1668	wscript.exe	88
PID 4984 wrote to memory of 4456	4984	wscript.exe	92
PID 4984 wrote to memory of 4456	4984	wscript.exe	92
PID 884 wrote to memory of 4512	884	chrome.exe	102
PID 884 wrote to memory of 4512	884	chrome.exe	102
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 4436	884	chrome.exe	105
PID 884 wrote to memory of 5080	884	chrome.exe	103
PID 884 wrote to memory of 5080	884	chrome.exe	103
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104
PID 884 wrote to memory of 3900	884	chrome.exe	104

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\231125-21-WshRat-364d4a.js
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\smLqjlUDtu.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:4400
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\231125-21-WshRat-364d4a.js"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\smLqjlUDtu.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0x110,0x128,0x7ffdc12b9758,0x7ffdc12b9768,0x7ffdc12b9778
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:2
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4780 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5480 --field-trial-handle=1928,i,15171777285364721706,9661501096551427,131072 /prefetch:1
  2⤵
  PID:3696

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\250ec355-6c3c-442d-90e6-824e1646902c.tmp

Filesize
220KB

MD5
51d70cc161fb03c6b5d6c733fce913b2

SHA1
53aac85505e637a5168d5ed8ba4239be18115a09

SHA256
a1dda2c352f2eefb12747defd8444d3efffecca73e412bc0d0948e4a67177ef6

SHA512
1258cd19b9314ff656b014f0311bcb17f75fbe8a0ac2bb68a3456e7774ff753116ac86a4f0f4757dfe5ec8b22e16d8de50fe2b101dbd2579621000cfb8d7ca35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f05b16ca1b85722e190006581914abed

SHA1
3b7456fc1c7916dfc847b7cc7bd32507ab23a2b2

SHA256
cb157ffe09f331f40c293c1011a4746d4258e118b4a6281b67a963083f1b76b1

SHA512
d6ef27df6e45d8d4054c5e395304587f7f6a7aa1e7887fa2569cb4732caa632ddb79738f397f7b76fdbc80cd4ab74c08d3c1efc767d43eeef441be4988d8058e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
757b48e3d2345e7e52373719c818d1be

SHA1
4e0119dd10ce19c8b7872b4a74bfddffa989a3a7

SHA256
2b7406e0b27a1a2467065052a9de72a17759f6a362e376171b501bf82d5ea87a

SHA512
f7b2a75948fd17cda70b83b7038ba614c4a14ced5d49197842cacc81166d202b789b5fa71acb6dd85cfeeac31333b82947dfce1b0520ae4bddac4cd851a849f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
d43fdd5195246efac2dd555ffdfbdd5f

SHA1
4abf0a643922cdb7e71f3547cf25aaacea00d0f7

SHA256
5a4b29722b8d43d0a37bb80cc796e13ad4e3ed6019b3c1b12ed516d27d49fcb5

SHA512
b839d807316315f23d9b216980a2d72e62948936bc655f641550a70bb66a265deaad8f8c9961f265f761e397a1941dd6479ea8dff48ae86fcb08f8295e1e8ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
541b8a549c140060b6f654632432d674

SHA1
647502fb50df43b0920015d5bc78412abec6e162

SHA256
8a173437af82720fcc2ed736a3ab075a306389631058117ff9b15a16ee8d6ef0

SHA512
527ca23c0d71835df10d4c086970cc9725413f58c59efc3c08f97f0409082cccb33f8c7586a652062cc2e9ff1a3745655dc6240f871d6b2b17f2cdc9dfceeb9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1d55a8f719d163961e81246735cfee91

SHA1
aca1f3360dfca96c6cf640cc5d77f76d4a5e0394

SHA256
e1c94bbc1b71e689cafc0543c7ebe5717315c92cc679115addf6f61879bd6080

SHA512
fd97a83ae15f0d871a6a6dc85337f4365325d2b7c36f5b75d2bf88ab0ae5a5353ab370c5dfa0385c6f99b104786f6984439a4839665205c1b1c5833bfacdc30d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7e823d026cb8f85ef87ff4b672ebfd7c

SHA1
d4d80eadde9d9cb4d7d4f1a1a9d84736c1a26111

SHA256
e5744d9abc82eea2fc3754aa03d9337cd32681b3fe189c3d13160365e29df007

SHA512
43e5cb5ac665c8f292279e29cefbdd70aabbb75a3976c33d168c4e4bf43f329b9d96755d1c4bd15d8008797bd6266f986032b31e6fdb23156232b83df29148b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\231125-21-WshRat-364d4a.js

Filesize
3.8MB

MD5
7d1e985be05e1038b33ae1c4e980a663

SHA1
364d4a8f587b94716daaec3ce4ed80d00b356c0c

SHA256
2f2b1b66553a447bb3384f5d22407a00bedefc43f5d4fb63b8b4970ed6c1702f

SHA512
754ee17cdbcd34b2201dc47a92f86f9e7f8cd8aa82969c6a3970d02b8bec33ae19edc9627a011d1554d2935a4a830c5fd769c7f281e95707473e4c55a151c845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231125-21-WshRat-364d4a.js

Filesize
3.8MB

MD5
7d1e985be05e1038b33ae1c4e980a663

SHA1
364d4a8f587b94716daaec3ce4ed80d00b356c0c

SHA256
2f2b1b66553a447bb3384f5d22407a00bedefc43f5d4fb63b8b4970ed6c1702f

SHA512
754ee17cdbcd34b2201dc47a92f86f9e7f8cd8aa82969c6a3970d02b8bec33ae19edc9627a011d1554d2935a4a830c5fd769c7f281e95707473e4c55a151c845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\231125-21-WshRat-364d4a.js

Filesize
3.8MB

MD5
7d1e985be05e1038b33ae1c4e980a663

SHA1
364d4a8f587b94716daaec3ce4ed80d00b356c0c

SHA256
2f2b1b66553a447bb3384f5d22407a00bedefc43f5d4fb63b8b4970ed6c1702f

SHA512
754ee17cdbcd34b2201dc47a92f86f9e7f8cd8aa82969c6a3970d02b8bec33ae19edc9627a011d1554d2935a4a830c5fd769c7f281e95707473e4c55a151c845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smLqjlUDtu.js

Filesize
346KB

MD5
5ba184f8b0d55c21c5c44fa4d5167626

SHA1
97ecafc5f5af815c78306e1a93069b5e7b19b664

SHA256
a41c9f6197d9f3e066c58a804569195ece07559c8a8ffb77d7a4536bb36e55b9

SHA512
4596406c51b3724e22716c3d2b96d0a737918d6ffcee140046b7921c4266d8c3590734fcc2da68a3746f8f044629415e3bcf8185a09050611ba1372c2db690f2

Download Submit
C:\Users\Admin\AppData\Roaming\smLqjlUDtu.js

Filesize
346KB

MD5
5ba184f8b0d55c21c5c44fa4d5167626

SHA1
97ecafc5f5af815c78306e1a93069b5e7b19b664

SHA256
a41c9f6197d9f3e066c58a804569195ece07559c8a8ffb77d7a4536bb36e55b9

SHA512
4596406c51b3724e22716c3d2b96d0a737918d6ffcee140046b7921c4266d8c3590734fcc2da68a3746f8f044629415e3bcf8185a09050611ba1372c2db690f2

Download Submit
C:\Users\Admin\AppData\Roaming\smLqjlUDtu.js

Filesize
346KB

MD5
5ba184f8b0d55c21c5c44fa4d5167626

SHA1
97ecafc5f5af815c78306e1a93069b5e7b19b664

SHA256
a41c9f6197d9f3e066c58a804569195ece07559c8a8ffb77d7a4536bb36e55b9

SHA512
4596406c51b3724e22716c3d2b96d0a737918d6ffcee140046b7921c4266d8c3590734fcc2da68a3746f8f044629415e3bcf8185a09050611ba1372c2db690f2

Download Submit