Analysis Overview
SHA256
052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c
Threat Level: Known bad
The file Scano005110.js was found to be: Known bad.
Malicious Activity Summary
HawkEye
WSHRAT
NirSoft WebBrowserPassView
Nirsoft
NirSoft MailPassView
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Script User-Agent
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-29 03:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-29 03:07
Reported
2021-09-29 03:10
Platform
win7v20210408
Max time kernel
152s
Max time network
165s
Command Line
Signatures
HawkEye
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fthost.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1668 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1668 set thread context of 1140 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js
C:\Users\Admin\AppData\Local\Temp\fthost.exe
"C:\Users\Admin\AppData\Local\Temp\fthost.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| DE | 185.49.68.143:416 | tcp | |
| RU | 77.222.55.43:416 | tcp | |
| SC | 185.215.113.36:80 | tcp | |
| NL | 193.56.146.41:416 | tcp | |
| NL | 193.56.146.43:416 | tcp | |
| NL | 193.56.146.42:416 | tcp | |
| US | 70.32.23.50:25 | tcp | |
| US | 162.144.125.71:25 | tcp | |
| RU | 92.38.129.26:416 | tcp | |
| BG | 213.91.128.133:10060 | tcp | |
| US | 8.8.8.8:53 | astatech-cn.com | udp |
| GB | 78.110.166.82:80 | astatech-cn.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.154.36:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | mail.legacypharma.com.pk | udp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| NL | 65.9.73.94:443 | tcp |
Files
memory/1512-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/1512-63-0x0000000075801000-0x0000000075803000-memory.dmp
memory/1512-64-0x0000000000710000-0x0000000000711000-memory.dmp
\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/1668-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/1668-70-0x0000000000B50000-0x0000000000B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 3c77678429c241c59376b4b284bfa90f |
| SHA1 | 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633 |
| SHA256 | d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1 |
| SHA512 | f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1 |
memory/1652-72-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1652-73-0x0000000000411654-mapping.dmp
memory/1668-75-0x0000000000B66000-0x0000000000B67000-memory.dmp
memory/1652-76-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1140-77-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1140-78-0x0000000000442628-mapping.dmp
memory/1140-80-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-29 03:07
Reported
2021-09-29 03:09
Platform
win10v20210408
Max time kernel
148s
Max time network
151s
Command Line
Signatures
HawkEye
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 736 set thread context of 1104 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 736 set thread context of 1348 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js
C:\Users\Admin\AppData\Local\Temp\fthost.exe
"C:\Users\Admin\AppData\Local\Temp\fthost.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | astatech-cn.com | udp |
| GB | 78.110.166.82:80 | astatech-cn.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.154.36:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | mail.legacypharma.com.pk | udp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
Files
memory/1912-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/1912-117-0x00000000028D0000-0x00000000028D1000-memory.dmp
memory/736-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/736-121-0x0000000002B60000-0x0000000002B61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 3c77678429c241c59376b4b284bfa90f |
| SHA1 | 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633 |
| SHA256 | d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1 |
| SHA512 | f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1 |
memory/1104-123-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1104-124-0x0000000000411654-mapping.dmp
memory/736-125-0x0000000002B61000-0x0000000002B62000-memory.dmp
memory/736-126-0x0000000002B64000-0x0000000002B66000-memory.dmp
memory/1104-127-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1348-128-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1348-129-0x0000000000442628-mapping.dmp
memory/1348-130-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f94dc819ca773f1e3cb27abbc9e7fa27 |
| SHA1 | 9a7700efadc5ea09ab288544ef1e3cd876255086 |
| SHA256 | a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92 |
| SHA512 | 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196 |
memory/2412-132-0x0000000000000000-mapping.dmp
memory/2412-138-0x000001EB7C160000-0x000001EB7C161000-memory.dmp
memory/2412-143-0x000001EB7C310000-0x000001EB7C311000-memory.dmp
memory/2412-144-0x000001EB61FE0000-0x000001EB61FE2000-memory.dmp
memory/2412-145-0x000001EB61FE3000-0x000001EB61FE5000-memory.dmp
memory/2412-146-0x000001EB61FF0000-0x000001EB61FF1000-memory.dmp
memory/2412-153-0x000001EB7C2B0000-0x000001EB7C2B1000-memory.dmp
memory/2412-155-0x000001EB61FE6000-0x000001EB61FE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp.txt
| MD5 | c416c12d1b2b1da8c8655e393b544362 |
| SHA1 | fb1a43cd8e1c556c2d25f361f42a21293c29e447 |
| SHA256 | 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046 |
| SHA512 | cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c |
memory/3192-157-0x0000000000000000-mapping.dmp
memory/3176-158-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
C:\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__init__.py
| MD5 | 82afd9dcb28c19afdc42097fcbdbe662 |
| SHA1 | 329e052afe981c8ba32ff78df2deb9d041c05f8b |
| SHA256 | 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e |
| SHA512 | 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc
| MD5 | e3f691d123a890f18538f5fead7bd6cd |
| SHA1 | f6e77a0008cefa3a7e3f67c7d11c7787391db5d9 |
| SHA256 | 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934 |
| SHA512 | 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\abc.cpython-37.pyc
| MD5 | cea4fa818d4468f70d14cae1c3fa9593 |
| SHA1 | cb060d183cb2f4850d2199a51e82301f653d51c4 |
| SHA256 | f64180d0a00e09801d9fa616f7fc21ffc7bb532b19209320059eb3d126e0485f |
| SHA512 | 9f434ebacc2d75483b00c4ee687ccd8df69dde06bbf1cb7bb32e7d6ca5db82130f78543a8166446a49fcd51ade6e2f983eb2469dcde0e1f6d4da595fbd01d3a2 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\abc.py
| MD5 | 17e3407344267dde764ecaa542cccd4d |
| SHA1 | ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae |
| SHA256 | f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304 |
| SHA512 | 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\io.cpython-37.pyc
| MD5 | deddc1aebef1d56aa912f32deff5355f |
| SHA1 | 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc |
| SHA256 | c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24 |
| SHA512 | 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\io.py
| MD5 | 2c098fb1d1a4c0a183da506daa34a786 |
| SHA1 | 55fb1833342ad13c35c6d3cb5fda819327773b21 |
| SHA256 | f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03 |
| SHA512 | 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc
| MD5 | 2312f7d16eed297caa4a0da46f612479 |
| SHA1 | afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d |
| SHA256 | 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7 |
| SHA512 | 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\latin_1.py
| MD5 | 92c4d5e13fe5abece119aa4d0c4be6c5 |
| SHA1 | 79e464e63e3f1728efe318688fe2052811801e23 |
| SHA256 | 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016 |
| SHA512 | c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc
| MD5 | 96f8cc58ae6da7199951c19543193a61 |
| SHA1 | c9c75c757cb1ea2198f84d80de052db7d874b7c7 |
| SHA256 | e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e |
| SHA512 | fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\utf_8.py
| MD5 | f932d95afcaea5fdc12e72d25565f948 |
| SHA1 | 2685d94ba1536b7870b7172c06fe72cf749b4d29 |
| SHA256 | 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e |
| SHA512 | a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc
| MD5 | 840a56d291513211bd0e65864b9169f3 |
| SHA1 | af58891c07f864d4753baa1dfdbdd71a614cded1 |
| SHA256 | a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922 |
| SHA512 | b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\aliases.py
| MD5 | 794677da57c541836ef8c0be93415219 |
| SHA1 | 67956cb212acc2b5dc578cff48d1fe189e5274e4 |
| SHA256 | 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5 |
| SHA512 | 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\codecs.cpython-37.pyc
| MD5 | 31a2fe679cad1b609caba7c961f43d70 |
| SHA1 | 21d411d11ce126c054ea70f90196c81b18eaa550 |
| SHA256 | 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d |
| SHA512 | 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\codecs.py
| MD5 | d1d8d96ee5398cda53cbddca69b8e2ab |
| SHA1 | 3998c0a2124ab260a7d83f296228be90418b8366 |
| SHA256 | 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3 |
| SHA512 | 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\ascii.py
| MD5 | ff48c6334861799d8d554f5d2a30ba00 |
| SHA1 | 08520b19d0353712cdfd919b3694945678c3d2d7 |
| SHA256 | 698c578b9b5df7bd6f8b2761d114f74cff854c1396083c8ab912b11fcae83b86 |
| SHA512 | 087a0e1ba9d9ca2c2f51f0156ad0ada1d1eb7ccba8b46159b95779b053d2431fc52ba1ca57fec381ea044a7f0e41490b5389b1af2dbf513c35cc1b29997fee6e |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc
| MD5 | e155072de8b3f0f7c8a089802f2f42fd |
| SHA1 | 416497f00986510600ae40c2b263d36c9d4e76c9 |
| SHA256 | e2ec095476cd398acf0f5f3e324f29e4e0756c3cb381c90a048ad87e1fef086d |
| SHA512 | f0ffc043da6ec8e49b5d7fdd01685d9cac95d6cc41a69b924a89dbc6b0a11687a67d0ac150f9669ebc5df08942c5b6a79eb9df827d13823995e21620eb01f316 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc
| MD5 | 95a87a7d67c0f21553bf7da0a2c106eb |
| SHA1 | c8f86f4214f6259753d7eb3173590d8af3737158 |
| SHA256 | 28e6fb21b7672763bc20837e7744efa8eed2a33418411a162aee9b1a6e978f55 |
| SHA512 | 744428bb023395335a06a321bd9ac8b6efb944daabf6703f557194ba74a874168995b31eef57d642f6cad39a01c06e8e862f7a1b089d6204e89da94f8954c2da |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\genericpath.py
| MD5 | 030f6a942a40e56c3431e7b32327502f |
| SHA1 | 5bc5a144f77099f5cdac2f8ea7c1ea9afb222cd0 |
| SHA256 | e3a2455f322ee591758f26b63f872d58c905ad49a07230e68d8f893bf96b557c |
| SHA512 | 59de303d4408452abbd2209f3c12a43c842bf5dbb29d52b7305b33b0c07a302c580ff66555c27bae01938c613d0f1b0e6672baeb1abedb5d9392d3fe34c117fa |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc
| MD5 | d9c4271cee229d5c49844c3327ffb672 |
| SHA1 | 0e42fb9aa7603ce73ed95e243d29a680393681c2 |
| SHA256 | dddcffc15d8faec0c6b78add861648c34aef57fccf6c9760782164b859e0f9f8 |
| SHA512 | 67e5a2c2950765eef2e681321111b670e8866c26e067fb89c98a02f70b16d7a95fbb12a23ba22d21af76be236506c4816603f1fbc2c189ffade7b999627f6234 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\ntpath.py
| MD5 | 22b8c91cff885cf007ed79c4486bd909 |
| SHA1 | 6a5f223c3473514a5cbba3eebff8488242506b94 |
| SHA256 | 730d9f54d1528490fd36dcc29850629d53cccd220b22dbe9cf6b04aa329fcefb |
| SHA512 | dc299e8b0f1855f5d77e79cbf6a2bb81548f4cd4af6e7f09714c238d23c50e907f9506712e835d3fadcb0a3ecb14e78fc5f6e59af8a5f4394b23fc9e44f6878d |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\stat.cpython-37.pyc
| MD5 | d9a448cd3571a9b8955e58a12f790ac6 |
| SHA1 | 8ddb51fb6339c9509d34e9897cda08dade4fc7aa |
| SHA256 | 8067eca08174fec142c83b95ddd9eec13bc059f6d4450e8a868e67b378226f77 |
| SHA512 | f8adbf5578bbf7b1ccc99a919d02be977085f0421507c700d78986ae9fef64bcc1aa9a2df399624e10b8af209cc8d00e4572c977d43c63a3c8eb4c2398f53d91 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\stat.py
| MD5 | c82139b5ae45bb46243eced2ba195d27 |
| SHA1 | 5cdeeaec9e08954f755ef0395ad274a84518f777 |
| SHA256 | cc2ee9076ddf61bdda1bf23d46fb510417f4d976bdc84b7beb7740577c356708 |
| SHA512 | 706c09c256052f84ddff1886ccbdbcde2a16c0b902a3f145bdc9a4cc108e030f156a0cac1ac99ea27e14acabe08b733f32bbf17749fb79c9590cd534253dcbb1 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\os.cpython-37.pyc
| MD5 | d8b766e5331c500fbc7afdf691c7468b |
| SHA1 | 9152c2442adfa606b9d0436d86482e2ded2caeb3 |
| SHA256 | b18c52db70f2eb0781e116f00301ba88c8b7be168aad45bc596236e0482040a8 |
| SHA512 | 9fd483c49277699a8904f819c2627f743fbc22c368bfc3c8d1916da36ee4a1b884481ecf07622edf181a85b8a2dc025f49f9485ec74f4672404f6c149aa25c61 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\os.py
| MD5 | 69d3c4e719d20b813c70e8227ee4ccfb |
| SHA1 | 09923a3aacfcd2b80c2da9eb22f81e543eb5a8e5 |
| SHA256 | 61992151f80fe5c47a23121b4fcdd645affd0777b5d4aec89b484d5f238cba80 |
| SHA512 | bb33eae54bb4ace1893a8c223add119bbef564ef5d3b250dac2685c83457c12cbbe6b185e33385bdfd70b94b16529a631944ee181b512cb84d4c76a7690ba821 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\site.cpython-37.pyc
| MD5 | 69561c45246bd13e5e1b9c6cd1b0c2ab |
| SHA1 | 89470e23a3d9295d24026508cb82fa4ee166a618 |
| SHA256 | 236c4b25fc3fe254bb367cfcad2c2588849017768a0fd8deadef1ab3f5265823 |
| SHA512 | 27836ebfbb61729193dc658cc468052cddb1045e2e721ec58dead4e7f0211cdbf1cdf2c4fcd3ae6a52d3c109610a3aec7f99955b634824f52a65febe9fc288d7 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\site.py
| MD5 | 51df50deeb52eb8ec6f4cbb40bb35fd4 |
| SHA1 | 843ed1cdc13a01d49875c47e8c8447036189af1f |
| SHA256 | 7ce57be4214772d5a82e3a678e449cf41d881e048811a619cba86fcb98f0b98e |
| SHA512 | 4fb452299acb43bee2e2d93add7726b611aacec121a9b7033c563d3be8c4c9945a9fabb2e312ada85f385e9a1aba34fae0a77b432633bee350ea339798bee7ac |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc
| MD5 | 03d3708dcc5740c983e428fabd55476c |
| SHA1 | 6e8045d4fdb150cbf885fff20f96e324edb1d471 |
| SHA256 | e60f921238e15ea7a3ae3bf4b4ba2f0bfde132aa9280b1c43d9b29c0a550d4cc |
| SHA512 | e82dc56b1bae343d9768d3e759d9bc57029744ab80063e7a5fa38700d1eca31ba413368d3eec38b32f9d617f887304321c750aa5c997b35f8e12fb38c01e1678 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\_collections_abc.py
| MD5 | 5fcfc3f248d7465d5401a0a91ab234a5 |
| SHA1 | 2f5f67c0e5c082c1bd8c1f6296622e4729c7e475 |
| SHA256 | 2dc39a63eeef170fb7f6cd89cf73c8b58326c0a6261933ba0f8483b5634fa2bf |
| SHA512 | 1f1cc8552aeb9c54b9531e5bb0730d682ebb82b6d8ba87492d91151f2ce3d8d6a3026a6ed81ea1cab7d925bde56b1fe9922faeedb24f9170e5a16a23f51d1a0b |
C:\Users\Admin\AppData\Local\Temp\rundll
| MD5 | e0ba917c670e18208f50c6863f19e829 |
| SHA1 | fd168f121a3ac36eed870f506ab2c670fb7eebcb |
| SHA256 | 41bd97c9bca321b8fcc9bc0fe3ea6d4a5f99c729b757eff84bdfc22fcf7200c1 |
| SHA512 | c71a541ef1b03a690b82d3409fcf40f70a331d19ecb5bba991d357ade9209e7952d0ffc00352f2028123497bf6a11bbb45c030a790c58d8bca1c08942b89e853 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\site-packages\pywin32.pth
| MD5 | 79e95b45f12d9bca112cc386ada976bd |
| SHA1 | 19603a5f4b8a91e4ce35f7dff29b107959ff4353 |
| SHA256 | 4daf949d99445bc0786a4335bd3438a7c9dc3bddff734af8f46d1be983aebc5b |
| SHA512 | 63d1fac801f7a5673005bb8c0a235a7c3937a1f7dfeb61373549f39029c336b4a643a30c4163eac5114ede11e19084bb86a3f915a9024152832e706b8d339e2e |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc
| MD5 | d63d385c9848e4123f7eb346d9449a2c |
| SHA1 | bef682e2f8db3335b2bff3f6e7429212d291f7ae |
| SHA256 | a05774c91a4a770426a225851c5564bde8540c14ebb220d3801066e0b5f499bc |
| SHA512 | 9deb42537ca9145896e54a5c2f27c4af812367761682b6d495d2b94db5a9decfb43964595f186c3159e011865a3e85788bc508f2a655b2adc83310b858841499 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\_sitebuiltins.py
| MD5 | 385fa756146827f7cf8d0cd67db9f4e8 |
| SHA1 | 11121d9dc26c3524d54d061054fa2eeafd87a6f4 |
| SHA256 | f7d3f4f4fa0290e861b2eaeb2643ffaf65b18ab7e953143eafa18b7ec68dbf59 |
| SHA512 | 23369ba61863f1ebe7be138f6666619eaabd67bb055c7f199b40a3511afe28758096b1297a14c84f5635178a309b9f467a644c096951cb0961466c629bf9e77c |
memory/2664-197-0x0000000000000000-mapping.dmp
memory/3040-198-0x0000000000000000-mapping.dmp
memory/3852-199-0x0000000000000000-mapping.dmp
memory/3572-200-0x0000000000000000-mapping.dmp
memory/2308-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
C:\Users\Admin\AppData\Local\Temp\cmdc.cfg
| MD5 | 70e69155b8080b5db35191ab8426d084 |
| SHA1 | 383deaaee90ce71b28b0a6e22124e77aa1cccf8b |
| SHA256 | 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe |
| SHA512 | c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342 |
memory/1480-205-0x0000000000000000-mapping.dmp