Malware Analysis Report

2025-04-14 08:28

Sample ID 210929-dmdd9adda9
Target Scano005110.js
SHA256 052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c
Tags
hawkeye wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c

Threat Level: Known bad

The file Scano005110.js was found to be: Known bad.

Malicious Activity Summary

hawkeye wshrat keylogger persistence spyware stealer trojan

HawkEye

WSHRAT

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Script User-Agent

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-29 03:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-29 03:07

Reported

2021-09-29 03:10

Platform

win7v20210408

Max time kernel

152s

Max time network

165s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1668 set thread context of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 set thread context of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 1512 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1824 wrote to memory of 1512 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1824 wrote to memory of 1512 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1824 wrote to memory of 1512 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1512 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1668 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

C:\Users\Admin\AppData\Local\Temp\fthost.exe

"C:\Users\Admin\AppData\Local\Temp\fthost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
DE 185.49.68.143:416 tcp
RU 77.222.55.43:416 tcp
SC 185.215.113.36:80 tcp
NL 193.56.146.41:416 tcp
NL 193.56.146.43:416 tcp
NL 193.56.146.42:416 tcp
US 70.32.23.50:25 tcp
US 162.144.125.71:25 tcp
RU 92.38.129.26:416 tcp
BG 213.91.128.133:10060 tcp
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.legacypharma.com.pk udp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
NL 65.9.73.94:443 tcp

Files

memory/1512-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/1512-63-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1512-64-0x0000000000710000-0x0000000000711000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/1668-66-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/1668-70-0x0000000000B50000-0x0000000000B51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 3c77678429c241c59376b4b284bfa90f
SHA1 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633
SHA256 d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1
SHA512 f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1

memory/1652-72-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1652-73-0x0000000000411654-mapping.dmp

memory/1668-75-0x0000000000B66000-0x0000000000B67000-memory.dmp

memory/1652-76-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1140-77-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1140-78-0x0000000000442628-mapping.dmp

memory/1140-80-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-29 03:07

Reported

2021-09-29 03:09

Platform

win10v20210408

Max time kernel

148s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 736 set thread context of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 set thread context of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|3ED10BF6|GFBFPSXA|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 1912 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 4000 wrote to memory of 1912 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 4000 wrote to memory of 1912 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1912 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1912 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1912 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 736 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4000 wrote to memory of 2412 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4000 wrote to memory of 2412 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4000 wrote to memory of 3192 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 3192 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
PID 3192 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
PID 3192 wrote to memory of 3176 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe
PID 4000 wrote to memory of 2664 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 2664 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2664 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4000 wrote to memory of 3852 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 3852 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 3852 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3852 wrote to memory of 3572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4000 wrote to memory of 2308 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 4000 wrote to memory of 2308 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 4000 wrote to memory of 2308 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 4000 wrote to memory of 1480 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4000 wrote to memory of 1480 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

C:\Users\Admin\AppData\Local\Temp\fthost.exe

"C:\Users\Admin\AppData\Local\Temp\fthost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c cd "C:\Users\Admin\AppData\Local\Temp\wshsdk" && C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll > "C:\Users\Admin\AppData\Local\Temp\wshout"

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe C:\Users\Admin\AppData\Local\Temp\rundll

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.legacypharma.com.pk udp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp

Files

memory/1912-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/1912-117-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/736-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/736-121-0x0000000002B60000-0x0000000002B61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 3c77678429c241c59376b4b284bfa90f
SHA1 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633
SHA256 d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1
SHA512 f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1

memory/1104-123-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1104-124-0x0000000000411654-mapping.dmp

memory/736-125-0x0000000002B61000-0x0000000002B62000-memory.dmp

memory/736-126-0x0000000002B64000-0x0000000002B66000-memory.dmp

memory/1104-127-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1348-128-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1348-129-0x0000000000442628-mapping.dmp

memory/1348-130-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/2412-132-0x0000000000000000-mapping.dmp

memory/2412-138-0x000001EB7C160000-0x000001EB7C161000-memory.dmp

memory/2412-143-0x000001EB7C310000-0x000001EB7C311000-memory.dmp

memory/2412-144-0x000001EB61FE0000-0x000001EB61FE2000-memory.dmp

memory/2412-145-0x000001EB61FE3000-0x000001EB61FE5000-memory.dmp

memory/2412-146-0x000001EB61FF0000-0x000001EB61FF1000-memory.dmp

memory/2412-153-0x000001EB7C2B0000-0x000001EB7C2B1000-memory.dmp

memory/2412-155-0x000001EB61FE6000-0x000001EB61FE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

memory/3192-157-0x0000000000000000-mapping.dmp

memory/3176-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wshsdk\python.exe

MD5 e03cbf90f6ed0c8075e5092621555990
SHA1 18ced6a9659a87b7d1458cdb6ce8409219299fc1
SHA256 4695914575f30e2ffe1807bf6a032eaebe241809abf97f65f161b7d0ff0031c9
SHA512 f5cc42d9bde2f389310910203e1140fb03e2059a58e392acfe4e355cde33d7e9ac27c178a296def131ad1868dd375db1f0b091f81c772ea924837f3aa691a97d

C:\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

\Users\Admin\AppData\Local\Temp\wshsdk\python37.dll

MD5 7f0b34248c228bebc731ef155b50bbff
SHA1 67fac3b44b6982a58e9bb6cd20db88f7bc1d0c44
SHA256 5de19772b6449a69c2cac3a454d6321fb0c7affc44200ed56b9ec08c38f06578
SHA512 fdf043f1b3875454e13853ca8754ff8c09431fd8e82d3de1730376175c01f634e1ed585f703e5691b87772ecd952a72c3ecb2a5093dcbda5ce053c0e36d13d23

C:\Users\Admin\AppData\Local\Temp\wshsdk\VCRUNTIME140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

\Users\Admin\AppData\Local\Temp\wshsdk\vcruntime140.dll

MD5 ae96651cfbd18991d186a029cbecb30c
SHA1 18df8af1022b5cb188e3ee98ac5b4da24ac9c526
SHA256 1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1
SHA512 42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__init__.py

MD5 82afd9dcb28c19afdc42097fcbdbe662
SHA1 329e052afe981c8ba32ff78df2deb9d041c05f8b
SHA256 921635dcb46ba5192db20e6c7ed0429c647f7d55ead2f6feaadc00b8410a646e
SHA512 4ae0a9de57f0df6119b99be7168e35917da63e24487b67a4afe96d3996cc42ad22716ac411791998642498bd5f64ab14d9571f4ebf2ee5abc6eb2761270cc897

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\__init__.cpython-37.pyc

MD5 e3f691d123a890f18538f5fead7bd6cd
SHA1 f6e77a0008cefa3a7e3f67c7d11c7787391db5d9
SHA256 3473f433a4d2c09e637f6da9b21172d31468a453c2b47fff27f776e820f25934
SHA512 776e40399adb6e7211ed67022c2b1b12309e5436760c7a0104fe243610e87559f9890575b972cc569d8d793c2d94c70e2f051f36d803ca7c8c89f77f0b39cc23

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\abc.cpython-37.pyc

MD5 cea4fa818d4468f70d14cae1c3fa9593
SHA1 cb060d183cb2f4850d2199a51e82301f653d51c4
SHA256 f64180d0a00e09801d9fa616f7fc21ffc7bb532b19209320059eb3d126e0485f
SHA512 9f434ebacc2d75483b00c4ee687ccd8df69dde06bbf1cb7bb32e7d6ca5db82130f78543a8166446a49fcd51ade6e2f983eb2469dcde0e1f6d4da595fbd01d3a2

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\abc.py

MD5 17e3407344267dde764ecaa542cccd4d
SHA1 ec774abd2a9aa2729a8af6a9cd67dfb22fd0acae
SHA256 f3bbcdb6406b9f9a3467ecd5a8ba74f1accb36adc95aa50d805c2927f09a2304
SHA512 850b5f7293ac61d41eb5e13791aac643858daac0950ed1271ac1f3534184f8f379c248e94e63a9abbb699ae4436e4324a96daf5465abc6a50cbe99887024e1f6

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\io.cpython-37.pyc

MD5 deddc1aebef1d56aa912f32deff5355f
SHA1 472c6923a8fae0cfb7fba6890f2c37dfaf685bcc
SHA256 c27434a09d7e90d3e7980427fa6d22d0eb570663e110b68dd9a71f8bcc3aad24
SHA512 89edddf61d0ce04650e5886f5dc98931a3ac52ecacac6e8fe78ff2b3c5db5943118b600ca05fec3d4022a6469dfeeea0979b03313fbabfc057ac5772103bd328

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\io.py

MD5 2c098fb1d1a4c0a183da506daa34a786
SHA1 55fb1833342ad13c35c6d3cb5fda819327773b21
SHA256 f89251a16945f7c125554cc91c7e7ed1560b366396c3153a4cadfb7a7133cd03
SHA512 375903e7bf79cf6c8e7c4decff482f4b59594aaaef62e01f1f45d0f9e26f9e864690d79cdfbdcf46cd83562cc465ef419cac32739d35bcb9fe6124682a997918

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\latin_1.cpython-37.pyc

MD5 2312f7d16eed297caa4a0da46f612479
SHA1 afc6f0ff4b5d57204b20c4127a58e8cdb0f1f09d
SHA256 3b033fb54ed66cfd73e6cd1479e3a7d7166d70d713d232707dd2b28ac92af2c7
SHA512 66faa5cc8ede6e929ac22ba48a6f1136a70879ccbdbe31146c1f4fb9f9d3744976e36fc47c533a3be4a6edb5b72870dc12018ac73924acf6217c17002c35815a

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\latin_1.py

MD5 92c4d5e13fe5abece119aa4d0c4be6c5
SHA1 79e464e63e3f1728efe318688fe2052811801e23
SHA256 6d5a6c46fe6675543ea3d04d9b27ccce8e04d6dfeb376691381b62d806a5d016
SHA512 c95f5344128993e9e6c2bf590ce7f2cffa9f3c384400a44c0bc3aca71d666ed182c040ec495ea3af83abbd9053c705334e5f4c3f7c07f65e7031e95fdfb7a561

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\utf_8.cpython-37.pyc

MD5 96f8cc58ae6da7199951c19543193a61
SHA1 c9c75c757cb1ea2198f84d80de052db7d874b7c7
SHA256 e24b41e43dae2dcda0a88cae0dc52993ce66790d5addd498d772ea5406f6068e
SHA512 fcb0d4c5f7ceac706b764caf495afb3517e807f89e3f21534997400c1b8fcfc7b23e09bfd3a4599ab4bdf388a36f3f9cd7c14f22ae9c48e03b1d85ed7a8c58dc

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\aliases.cpython-37.pyc

MD5 840a56d291513211bd0e65864b9169f3
SHA1 af58891c07f864d4753baa1dfdbdd71a614cded1
SHA256 a597b04b97a8bfe577010d816ca8a1480247ea96b025c59c345b7b120bb5f922
SHA512 b1fbfbc5ca147fd0fcb9e7a509d5ec5a4578bb038a8116c908aa48ecd593694ab4d318b2bc6c8240bc6c2b4e2e23b7b6ed9d295619a862748ad3609445cd3d87

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\aliases.py

MD5 794677da57c541836ef8c0be93415219
SHA1 67956cb212acc2b5dc578cff48d1fe189e5274e4
SHA256 9ed4517a5778b2efbd76704f841738c12441ff649eed83b2ea033b3843c9b3d5
SHA512 33c3fa687ea494029ff6f250557eaaa24647f847255628b9198a8a33859db0a716d5a3c54743d58b796a46102f2a57da3445935ca0fef1245164523ff4294088

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\codecs.cpython-37.pyc

MD5 31a2fe679cad1b609caba7c961f43d70
SHA1 21d411d11ce126c054ea70f90196c81b18eaa550
SHA256 6b903c49e04070578aa47a378ff830bc9407be92c8b952a134cec40e944fa30d
SHA512 34dde13a6a197caf1ed9fe73ca30e70c966027c44509e398334a6e9be8eb8f5c3289ef66383f3d9cc69da26cca2097c48cb5fde7be14476fe35fd2cc087da855

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\codecs.py

MD5 d1d8d96ee5398cda53cbddca69b8e2ab
SHA1 3998c0a2124ab260a7d83f296228be90418b8366
SHA256 39f79489cb6ef0f95dc0ae007c5ece25897f76fa9b56449922f764896cec5ed3
SHA512 0d324416498fba44b41d175194527d5035176642e535bb446ac2c64feed175df7c316507bda375baa77907465973d1340999c859b5d20b51cc2bd96a30857b7b

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\ascii.py

MD5 ff48c6334861799d8d554f5d2a30ba00
SHA1 08520b19d0353712cdfd919b3694945678c3d2d7
SHA256 698c578b9b5df7bd6f8b2761d114f74cff854c1396083c8ab912b11fcae83b86
SHA512 087a0e1ba9d9ca2c2f51f0156ad0ada1d1eb7ccba8b46159b95779b053d2431fc52ba1ca57fec381ea044a7f0e41490b5389b1af2dbf513c35cc1b29997fee6e

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\encodings\__pycache__\ascii.cpython-37.pyc

MD5 e155072de8b3f0f7c8a089802f2f42fd
SHA1 416497f00986510600ae40c2b263d36c9d4e76c9
SHA256 e2ec095476cd398acf0f5f3e324f29e4e0756c3cb381c90a048ad87e1fef086d
SHA512 f0ffc043da6ec8e49b5d7fdd01685d9cac95d6cc41a69b924a89dbc6b0a11687a67d0ac150f9669ebc5df08942c5b6a79eb9df827d13823995e21620eb01f316

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\genericpath.cpython-37.pyc

MD5 95a87a7d67c0f21553bf7da0a2c106eb
SHA1 c8f86f4214f6259753d7eb3173590d8af3737158
SHA256 28e6fb21b7672763bc20837e7744efa8eed2a33418411a162aee9b1a6e978f55
SHA512 744428bb023395335a06a321bd9ac8b6efb944daabf6703f557194ba74a874168995b31eef57d642f6cad39a01c06e8e862f7a1b089d6204e89da94f8954c2da

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\genericpath.py

MD5 030f6a942a40e56c3431e7b32327502f
SHA1 5bc5a144f77099f5cdac2f8ea7c1ea9afb222cd0
SHA256 e3a2455f322ee591758f26b63f872d58c905ad49a07230e68d8f893bf96b557c
SHA512 59de303d4408452abbd2209f3c12a43c842bf5dbb29d52b7305b33b0c07a302c580ff66555c27bae01938c613d0f1b0e6672baeb1abedb5d9392d3fe34c117fa

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\ntpath.cpython-37.pyc

MD5 d9c4271cee229d5c49844c3327ffb672
SHA1 0e42fb9aa7603ce73ed95e243d29a680393681c2
SHA256 dddcffc15d8faec0c6b78add861648c34aef57fccf6c9760782164b859e0f9f8
SHA512 67e5a2c2950765eef2e681321111b670e8866c26e067fb89c98a02f70b16d7a95fbb12a23ba22d21af76be236506c4816603f1fbc2c189ffade7b999627f6234

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\ntpath.py

MD5 22b8c91cff885cf007ed79c4486bd909
SHA1 6a5f223c3473514a5cbba3eebff8488242506b94
SHA256 730d9f54d1528490fd36dcc29850629d53cccd220b22dbe9cf6b04aa329fcefb
SHA512 dc299e8b0f1855f5d77e79cbf6a2bb81548f4cd4af6e7f09714c238d23c50e907f9506712e835d3fadcb0a3ecb14e78fc5f6e59af8a5f4394b23fc9e44f6878d

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\stat.cpython-37.pyc

MD5 d9a448cd3571a9b8955e58a12f790ac6
SHA1 8ddb51fb6339c9509d34e9897cda08dade4fc7aa
SHA256 8067eca08174fec142c83b95ddd9eec13bc059f6d4450e8a868e67b378226f77
SHA512 f8adbf5578bbf7b1ccc99a919d02be977085f0421507c700d78986ae9fef64bcc1aa9a2df399624e10b8af209cc8d00e4572c977d43c63a3c8eb4c2398f53d91

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\stat.py

MD5 c82139b5ae45bb46243eced2ba195d27
SHA1 5cdeeaec9e08954f755ef0395ad274a84518f777
SHA256 cc2ee9076ddf61bdda1bf23d46fb510417f4d976bdc84b7beb7740577c356708
SHA512 706c09c256052f84ddff1886ccbdbcde2a16c0b902a3f145bdc9a4cc108e030f156a0cac1ac99ea27e14acabe08b733f32bbf17749fb79c9590cd534253dcbb1

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\os.cpython-37.pyc

MD5 d8b766e5331c500fbc7afdf691c7468b
SHA1 9152c2442adfa606b9d0436d86482e2ded2caeb3
SHA256 b18c52db70f2eb0781e116f00301ba88c8b7be168aad45bc596236e0482040a8
SHA512 9fd483c49277699a8904f819c2627f743fbc22c368bfc3c8d1916da36ee4a1b884481ecf07622edf181a85b8a2dc025f49f9485ec74f4672404f6c149aa25c61

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\os.py

MD5 69d3c4e719d20b813c70e8227ee4ccfb
SHA1 09923a3aacfcd2b80c2da9eb22f81e543eb5a8e5
SHA256 61992151f80fe5c47a23121b4fcdd645affd0777b5d4aec89b484d5f238cba80
SHA512 bb33eae54bb4ace1893a8c223add119bbef564ef5d3b250dac2685c83457c12cbbe6b185e33385bdfd70b94b16529a631944ee181b512cb84d4c76a7690ba821

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\site.cpython-37.pyc

MD5 69561c45246bd13e5e1b9c6cd1b0c2ab
SHA1 89470e23a3d9295d24026508cb82fa4ee166a618
SHA256 236c4b25fc3fe254bb367cfcad2c2588849017768a0fd8deadef1ab3f5265823
SHA512 27836ebfbb61729193dc658cc468052cddb1045e2e721ec58dead4e7f0211cdbf1cdf2c4fcd3ae6a52d3c109610a3aec7f99955b634824f52a65febe9fc288d7

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\site.py

MD5 51df50deeb52eb8ec6f4cbb40bb35fd4
SHA1 843ed1cdc13a01d49875c47e8c8447036189af1f
SHA256 7ce57be4214772d5a82e3a678e449cf41d881e048811a619cba86fcb98f0b98e
SHA512 4fb452299acb43bee2e2d93add7726b611aacec121a9b7033c563d3be8c4c9945a9fabb2e312ada85f385e9a1aba34fae0a77b432633bee350ea339798bee7ac

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\_collections_abc.cpython-37.pyc

MD5 03d3708dcc5740c983e428fabd55476c
SHA1 6e8045d4fdb150cbf885fff20f96e324edb1d471
SHA256 e60f921238e15ea7a3ae3bf4b4ba2f0bfde132aa9280b1c43d9b29c0a550d4cc
SHA512 e82dc56b1bae343d9768d3e759d9bc57029744ab80063e7a5fa38700d1eca31ba413368d3eec38b32f9d617f887304321c750aa5c997b35f8e12fb38c01e1678

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\_collections_abc.py

MD5 5fcfc3f248d7465d5401a0a91ab234a5
SHA1 2f5f67c0e5c082c1bd8c1f6296622e4729c7e475
SHA256 2dc39a63eeef170fb7f6cd89cf73c8b58326c0a6261933ba0f8483b5634fa2bf
SHA512 1f1cc8552aeb9c54b9531e5bb0730d682ebb82b6d8ba87492d91151f2ce3d8d6a3026a6ed81ea1cab7d925bde56b1fe9922faeedb24f9170e5a16a23f51d1a0b

C:\Users\Admin\AppData\Local\Temp\rundll

MD5 e0ba917c670e18208f50c6863f19e829
SHA1 fd168f121a3ac36eed870f506ab2c670fb7eebcb
SHA256 41bd97c9bca321b8fcc9bc0fe3ea6d4a5f99c729b757eff84bdfc22fcf7200c1
SHA512 c71a541ef1b03a690b82d3409fcf40f70a331d19ecb5bba991d357ade9209e7952d0ffc00352f2028123497bf6a11bbb45c030a790c58d8bca1c08942b89e853

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\site-packages\pywin32.pth

MD5 79e95b45f12d9bca112cc386ada976bd
SHA1 19603a5f4b8a91e4ce35f7dff29b107959ff4353
SHA256 4daf949d99445bc0786a4335bd3438a7c9dc3bddff734af8f46d1be983aebc5b
SHA512 63d1fac801f7a5673005bb8c0a235a7c3937a1f7dfeb61373549f39029c336b4a643a30c4163eac5114ede11e19084bb86a3f915a9024152832e706b8d339e2e

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\__pycache__\_sitebuiltins.cpython-37.pyc

MD5 d63d385c9848e4123f7eb346d9449a2c
SHA1 bef682e2f8db3335b2bff3f6e7429212d291f7ae
SHA256 a05774c91a4a770426a225851c5564bde8540c14ebb220d3801066e0b5f499bc
SHA512 9deb42537ca9145896e54a5c2f27c4af812367761682b6d495d2b94db5a9decfb43964595f186c3159e011865a3e85788bc508f2a655b2adc83310b858841499

C:\Users\Admin\AppData\Local\Temp\wshsdk\lib\_sitebuiltins.py

MD5 385fa756146827f7cf8d0cd67db9f4e8
SHA1 11121d9dc26c3524d54d061054fa2eeafd87a6f4
SHA256 f7d3f4f4fa0290e861b2eaeb2643ffaf65b18ab7e953143eafa18b7ec68dbf59
SHA512 23369ba61863f1ebe7be138f6666619eaabd67bb055c7f199b40a3511afe28758096b1297a14c84f5635178a309b9f467a644c096951cb0961466c629bf9e77c

memory/2664-197-0x0000000000000000-mapping.dmp

memory/3040-198-0x0000000000000000-mapping.dmp

memory/3852-199-0x0000000000000000-mapping.dmp

memory/3572-200-0x0000000000000000-mapping.dmp

memory/2308-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

MD5 70e69155b8080b5db35191ab8426d084
SHA1 383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512 c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

memory/1480-205-0x0000000000000000-mapping.dmp