Malware Analysis Report

2025-01-18 12:22

Sample ID 221107-3l56bahben
Target EMFA Elektrik.PDF.js
SHA256 a0329914f5d8862178bb740cf9ae6e908ca9f1b474504b52e2383936b4625813
Tags
vjw0rm wshrat persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0329914f5d8862178bb740cf9ae6e908ca9f1b474504b52e2383936b4625813

Threat Level: Known bad

The file EMFA Elektrik.PDF.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm wshrat persistence trojan worm

WSHRAT

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Script User-Agent

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-07 23:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-07 23:37

Reported

2022-11-07 23:40

Platform

win7-20220812-en

Max time kernel

148s

Max time network

156s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\EMFA Elektrik.PDF.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMFA Elektrik.PDF.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMFA Elektrik.PDF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 8/11/2022|JavaScript N/A N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\EMFA Elektrik.PDF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EMFA Elektrik.PDF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp

Files

memory/1248-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmp

memory/1972-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js

MD5 eb5976974dae9f72ae6df8598700d987
SHA1 4959a8a889c724ea2a690ea5b7372c7da8e3d495
SHA256 2c8df940d6e926fd13115947a773bf33929a7ae382514bdf941c0be98b1ae544
SHA512 24c0321acf1fa116ade2be301bda4351beedab2cac2100d6898c1fe4439b0a30e7309d02c2b1f4255e7fe06ac430ca29d6308e136a63cdaa5cf9545acb87076d

memory/956-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EMFA Elektrik.PDF.js

MD5 09328337c18e6eaaa82580394be62eb1
SHA1 b6e8d3c4e228b45c419e4a449c533655a8330104
SHA256 a0329914f5d8862178bb740cf9ae6e908ca9f1b474504b52e2383936b4625813
SHA512 bad0fe25e5bc05c1ede5ccd676c605042c4a7b866d108cfd2835a99d06347bab5e5c730a42ccaab75ad6b15d47d58d5b9204482736e6bb17e3c97684df3bf944

memory/1672-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMFA Elektrik.PDF.js

MD5 09328337c18e6eaaa82580394be62eb1
SHA1 b6e8d3c4e228b45c419e4a449c533655a8330104
SHA256 a0329914f5d8862178bb740cf9ae6e908ca9f1b474504b52e2383936b4625813
SHA512 bad0fe25e5bc05c1ede5ccd676c605042c4a7b866d108cfd2835a99d06347bab5e5c730a42ccaab75ad6b15d47d58d5b9204482736e6bb17e3c97684df3bf944

C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js

MD5 eb5976974dae9f72ae6df8598700d987
SHA1 4959a8a889c724ea2a690ea5b7372c7da8e3d495
SHA256 2c8df940d6e926fd13115947a773bf33929a7ae382514bdf941c0be98b1ae544
SHA512 24c0321acf1fa116ade2be301bda4351beedab2cac2100d6898c1fe4439b0a30e7309d02c2b1f4255e7fe06ac430ca29d6308e136a63cdaa5cf9545acb87076d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js

MD5 eb5976974dae9f72ae6df8598700d987
SHA1 4959a8a889c724ea2a690ea5b7372c7da8e3d495
SHA256 2c8df940d6e926fd13115947a773bf33929a7ae382514bdf941c0be98b1ae544
SHA512 24c0321acf1fa116ade2be301bda4351beedab2cac2100d6898c1fe4439b0a30e7309d02c2b1f4255e7fe06ac430ca29d6308e136a63cdaa5cf9545acb87076d

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-07 23:37

Reported

2022-11-07 23:40

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

170s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\EMFA Elektrik.PDF.js"

Signatures

Vjw0rm

trojan worm vjw0rm

WSHRAT

trojan wshrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMFA Elektrik.PDF.js C:\Windows\system32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMFA Elektrik.PDF.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EMFA Elektrik = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\EMFA Elektrik.PDF.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A
HTTP User-Agent header WSHRAT|18024990|TMKNGOMU|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 8/11/2022|JavaScript N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4900 wrote to memory of 3080 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4900 wrote to memory of 3080 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4900 wrote to memory of 5036 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 4900 wrote to memory of 5036 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 5036 wrote to memory of 5008 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 5036 wrote to memory of 5008 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\EMFA Elektrik.PDF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\EMFA Elektrik.PDF.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
US 8.252.118.126:80 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 tcp
US 52.109.13.62:443 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 8.253.209.121:80 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
US 67.26.211.254:80 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 tcp
US 8.252.117.126:80 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 185.136.159.253 tcp
FR 185.136.159.253:2070 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
FR 185.136.159.253:2070 tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp
NG 154.120.66.114:5465 javaautorun.duia.ro tcp

Files

memory/3080-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js

MD5 eb5976974dae9f72ae6df8598700d987
SHA1 4959a8a889c724ea2a690ea5b7372c7da8e3d495
SHA256 2c8df940d6e926fd13115947a773bf33929a7ae382514bdf941c0be98b1ae544
SHA512 24c0321acf1fa116ade2be301bda4351beedab2cac2100d6898c1fe4439b0a30e7309d02c2b1f4255e7fe06ac430ca29d6308e136a63cdaa5cf9545acb87076d

memory/5036-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\EMFA Elektrik.PDF.js

MD5 09328337c18e6eaaa82580394be62eb1
SHA1 b6e8d3c4e228b45c419e4a449c533655a8330104
SHA256 a0329914f5d8862178bb740cf9ae6e908ca9f1b474504b52e2383936b4625813
SHA512 bad0fe25e5bc05c1ede5ccd676c605042c4a7b866d108cfd2835a99d06347bab5e5c730a42ccaab75ad6b15d47d58d5b9204482736e6bb17e3c97684df3bf944

memory/5008-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EMFA Elektrik.PDF.js

MD5 09328337c18e6eaaa82580394be62eb1
SHA1 b6e8d3c4e228b45c419e4a449c533655a8330104
SHA256 a0329914f5d8862178bb740cf9ae6e908ca9f1b474504b52e2383936b4625813
SHA512 bad0fe25e5bc05c1ede5ccd676c605042c4a7b866d108cfd2835a99d06347bab5e5c730a42ccaab75ad6b15d47d58d5b9204482736e6bb17e3c97684df3bf944

C:\Users\Admin\AppData\Roaming\TOlnVlvvvE.js

MD5 eb5976974dae9f72ae6df8598700d987
SHA1 4959a8a889c724ea2a690ea5b7372c7da8e3d495
SHA256 2c8df940d6e926fd13115947a773bf33929a7ae382514bdf941c0be98b1ae544
SHA512 24c0321acf1fa116ade2be301bda4351beedab2cac2100d6898c1fe4439b0a30e7309d02c2b1f4255e7fe06ac430ca29d6308e136a63cdaa5cf9545acb87076d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TOlnVlvvvE.js

MD5 eb5976974dae9f72ae6df8598700d987
SHA1 4959a8a889c724ea2a690ea5b7372c7da8e3d495
SHA256 2c8df940d6e926fd13115947a773bf33929a7ae382514bdf941c0be98b1ae544
SHA512 24c0321acf1fa116ade2be301bda4351beedab2cac2100d6898c1fe4439b0a30e7309d02c2b1f4255e7fe06ac430ca29d6308e136a63cdaa5cf9545acb87076d