Malware Analysis Report

2024-11-30 15:44

Sample ID 230123-pg6pdseg5v
Target SIBAIRQ-PD-PUR-926.js
SHA256 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
Tags
vjw0rm persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c

Threat Level: Known bad

The file SIBAIRQ-PD-PUR-926.js was found to be: Known bad.

Malicious Activity Summary

vjw0rm persistence trojan worm

Vjw0rm

Blocklisted process makes network request

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-23 12:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-23 12:19

Reported

2023-01-23 12:21

Platform

win10v2004-20221111-en

Max time kernel

147s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\SIBAIRQ-PD-PUR-926.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIBAIRQ-PD-PUR-926.js C:\Windows\system32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIBAIRQ-PD-PUR-926.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js C:\Windows\System32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 1260 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1716 wrote to memory of 1260 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1716 wrote to memory of 1620 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1716 wrote to memory of 1620 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\wscript.exe
PID 1620 wrote to memory of 1616 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe
PID 1620 wrote to memory of 1616 N/A C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\SIBAIRQ-PD-PUR-926.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SIBAIRQ-PD-PUR-926.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 8.8.8.8:53 oyo.powrkenken.info udp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 20.189.173.12:443 tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp

Files

memory/1260-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js

MD5 66dc2636a8030d46088ffea48edca927
SHA1 0b69c990c12f471bae591feff36810bee88dc8be
SHA256 f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA512 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

memory/1620-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SIBAIRQ-PD-PUR-926.js

MD5 23e6dafa419a763923005e18ac40b8b4
SHA1 8e1d466bbf8278d773c30198fd166c8f2cc95134
SHA256 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA512 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3

C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js

MD5 66dc2636a8030d46088ffea48edca927
SHA1 0b69c990c12f471bae591feff36810bee88dc8be
SHA256 f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA512 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

memory/1616-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIBAIRQ-PD-PUR-926.js

MD5 23e6dafa419a763923005e18ac40b8b4
SHA1 8e1d466bbf8278d773c30198fd166c8f2cc95134
SHA256 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA512 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js

MD5 66dc2636a8030d46088ffea48edca927
SHA1 0b69c990c12f471bae591feff36810bee88dc8be
SHA256 f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA512 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-23 12:19

Reported

2023-01-23 12:21

Platform

win7-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\SIBAIRQ-PD-PUR-926.js

Signatures

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIBAIRQ-PD-PUR-926.js C:\Windows\System32\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIBAIRQ-PD-PUR-926.js C:\Windows\system32\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\System32\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIBAIRQ-PD-PUR-926 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\SIBAIRQ-PD-PUR-926.js\"" C:\Windows\System32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\SIBAIRQ-PD-PUR-926.js

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SIBAIRQ-PD-PUR-926.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 javaautorun.duia.ro udp
N/A 8.8.8.8:53 oyo.powrkenken.info udp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 91.193.75.231:5443 javaautorun.duia.ro tcp
N/A 194.5.98.71:46077 oyo.powrkenken.info tcp

Files

memory/1644-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js

MD5 66dc2636a8030d46088ffea48edca927
SHA1 0b69c990c12f471bae591feff36810bee88dc8be
SHA256 f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA512 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

memory/1492-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\SIBAIRQ-PD-PUR-926.js

MD5 23e6dafa419a763923005e18ac40b8b4
SHA1 8e1d466bbf8278d773c30198fd166c8f2cc95134
SHA256 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA512 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3

memory/1556-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIBAIRQ-PD-PUR-926.js

MD5 23e6dafa419a763923005e18ac40b8b4
SHA1 8e1d466bbf8278d773c30198fd166c8f2cc95134
SHA256 12736919f6e945cb175325bcffb7ca8fff02db430fea5803c76a73cc2145436c
SHA512 9db15577ef3b80a5503c561c01914548e5c2b8a56d59673a1d48d2fa3ba205a654504adc7d297258bb70ee681e81d4b4d6367fe1d7e244ceaaff9e00780efae3

C:\Users\Admin\AppData\Roaming\bBPGleXeSh.js

MD5 66dc2636a8030d46088ffea48edca927
SHA1 0b69c990c12f471bae591feff36810bee88dc8be
SHA256 f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA512 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBPGleXeSh.js

MD5 66dc2636a8030d46088ffea48edca927
SHA1 0b69c990c12f471bae591feff36810bee88dc8be
SHA256 f65f356f01c0807a3142dcad0b4ae406dbf835dbe80fe8a6aca8abf59c74242e
SHA512 8084c417d30fec47c5b519657f2651bffc7c1c9d403eb5356aae6e47ee572610f4f4095f4f65cd2fef54c1e47592fb7e64e6c2f598539115c84b2647e6b97e0a