Analysis Overview
SHA256
5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501
Threat Level: Known bad
The file payment receipt.js was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
WSHRAT
Blocklisted process makes network request
Checks computer location settings
Drops startup file
Adds Run key to start application
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-07 06:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-07 06:52
Reported
2022-11-07 06:55
Platform
win7-20220812-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|BC40DA2B|GRXNNIIE|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1092 wrote to memory of 1952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1092 wrote to memory of 1952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1092 wrote to memory of 1952 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1092 wrote to memory of 1288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1092 wrote to memory of 1288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1092 wrote to memory of 1288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1288 wrote to memory of 1724 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1288 wrote to memory of 1724 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1288 wrote to memory of 1724 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | takeall.duckdns.org | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
Files
memory/1092-54-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
memory/1952-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js
| MD5 | 0965c7783112318b1bec9aad1ae0db0f |
| SHA1 | 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc |
| SHA256 | cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59 |
| SHA512 | 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93 |
memory/1288-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\payment receipt.js
| MD5 | 7bdc2ed878e95f7b8b20656f2758d252 |
| SHA1 | fabccf889c3621122cedb7187992f107a9ebf4e3 |
| SHA256 | 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501 |
| SHA512 | 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874 |
memory/1724-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js
| MD5 | 7bdc2ed878e95f7b8b20656f2758d252 |
| SHA1 | fabccf889c3621122cedb7187992f107a9ebf4e3 |
| SHA256 | 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501 |
| SHA512 | 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874 |
C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js
| MD5 | 0965c7783112318b1bec9aad1ae0db0f |
| SHA1 | 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc |
| SHA256 | cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59 |
| SHA512 | 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js
| MD5 | 0965c7783112318b1bec9aad1ae0db0f |
| SHA1 | 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc |
| SHA256 | cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59 |
| SHA512 | 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-07 06:52
Reported
2022-11-07 06:55
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Vjw0rm
WSHRAT
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nmLrNiYocF.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payment receipt = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\payment receipt.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
| HTTP User-Agent header | WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 7/11/2022|JavaScript | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1036 wrote to memory of 4724 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1036 wrote to memory of 4724 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1036 wrote to memory of 4648 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1036 wrote to memory of 4648 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4648 wrote to memory of 1792 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 4648 wrote to memory of 1792 | N/A | C:\Windows\System32\wscript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\payment receipt.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\payment receipt.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js"
Network
| Country | Destination | Domain | Proto |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | takeall.duckdns.org | udp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 178.79.208.1:80 | tcp | |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 178.79.208.1:80 | tcp | |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| US | 93.184.220.29:80 | tcp | |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NG | 154.120.66.114:5465 | javaautorun.duia.ro | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
| NL | 109.206.243.241:1991 | takeall.duckdns.org | tcp |
Files
memory/4724-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js
| MD5 | 0965c7783112318b1bec9aad1ae0db0f |
| SHA1 | 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc |
| SHA256 | cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59 |
| SHA512 | 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93 |
memory/4648-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\payment receipt.js
| MD5 | 7bdc2ed878e95f7b8b20656f2758d252 |
| SHA1 | fabccf889c3621122cedb7187992f107a9ebf4e3 |
| SHA256 | 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501 |
| SHA512 | 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874 |
memory/1792-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payment receipt.js
| MD5 | 7bdc2ed878e95f7b8b20656f2758d252 |
| SHA1 | fabccf889c3621122cedb7187992f107a9ebf4e3 |
| SHA256 | 5619ede0802eae9659da207f84f3bb00d576bc80601609557f0cce017dc35501 |
| SHA512 | 9c70289013d254a60baf0dd9b262c1e9fe0bb83afc2eb964d861ea46433efff80485c924cb4fe9df5695a9ef8a9cf214ef0bb3042730346935c517c21c7f7874 |
C:\Users\Admin\AppData\Roaming\nmLrNiYocF.js
| MD5 | 0965c7783112318b1bec9aad1ae0db0f |
| SHA1 | 6d204c9b64ea25ae7e2098e6fc3cf2480c8933fc |
| SHA256 | cb1ba05e3d6b07acc0f22c867a18e9216d57e4a09dd7577a3501f9f80fcc4d59 |
| SHA512 | 32a0d75c68f3ada0d94df0fb3d7926fc749ba4fbcdbb8814f14f90382a7431653190d9cceefb4982fc56a7fff18e0d6afe676cf4a84924d31482522665f36c93 |