Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Sample Name: COVID_19_Test_Result_Doctor_Note.js
Analysis ID: 365159
MD5: 0bca3422ec870f28791d61a4fa25367f
SHA1: 36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256: 7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
Infos:

Most interesting Screenshot:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
System process connects to network (likely due to code injection or exploit)
Drops script or batch files to the startup folder
Found C&C like URL pattern
Potential obfuscated javascript found
Wscript called in batch mode (surpress errors)
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication

Classification

Compliance:

barindex
Binary contains paths to debug symbols
Source: Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp

Networking:

barindex
Found C&C like URL pattern
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: unknown DNS traffic detected: queries for: adsclickboost.com
Source: unknown HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.269140453.000001EFB9E01000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511576753.00000210EAA81000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381608799.00000210E873B000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.317168248.00000210EAA1D000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/
Source: wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/1
Source: wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/12J
Source: wscript.exe, 00000004.00000003.369629621.000001EFB9E34000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/9
Source: wscript.exe, 00000001.00000003.318917408.000001F79268C000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/9aL
Source: wscript.exe, 00000001.00000003.232143310.000001F792695000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/RJ0
Source: wscript.exe, 00000004.00000003.297771553.000001EFB9E34000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/U
Source: wscript.exe, 00000004.00000003.390681019.000001EFB9E34000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/e
Source: wscript.exe, 00000001.00000003.338715180.000001F79268C000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/er
Source: wscript.exe, 00000001.00000003.434803794.000001F79268C000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/h
Source: wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/i
Source: wscript.exe, 00000001.00000003.376049468.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.338793569.000001F7926C9000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.360741823.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.435333564.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.323048900.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.259095669.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.302684036.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000004.00000002.523177555.000001EFB7635000.00000004.00000040.sdmp, wscript.exe, 00000004.00000002.580871645.000001EFB9615000.00000004.00000040.sdmp, wscript.exe, 00000004.00000003.390662408.000001EFB9E27000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.478419114.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.390596358.0000028337CCD000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.291467055.0000028337CD0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.311074066.0000028337CD0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.285395106.0000028337D35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.448723497.00000210EA490000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.466963962.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.387548104.00000210EA483000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.340690093.00000210EA483000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.430918597.00000210EA483000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php
Source: wscript.exe, 0000000D.00000002.511362675.00000210EA9F5000.00000004.00000040.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php&
Source: wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php.
Source: wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php/
Source: wscript.exe, 00000001.00000003.469238846.000001F792675000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php0DUq1z
Source: wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php12J
Source: wscript.exe, 00000007.00000002.539288266.0000028338535000.00000004.00000040.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php4
Source: wscript.exe, 0000000D.00000002.491234203.00000210E86A1000.00000004.00000020.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php4d%2fID_19_Test_Result_Doctor_Note.js
Source: wscript.exe, 00000004.00000002.488743713.000001EFB7372000.00000004.00000020.sdmp, wscript.exe, 00000007.00000002.522239743.0000028336342000.00000004.00000020.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php4d%2fb
Source: wscript.exe, 00000001.00000003.416757833.000001F7926AA000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.php;
Source: wscript.exe, 0000000D.00000003.337246961.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381444898.00000210EAA35000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.phpB
Source: wscript.exe, 00000004.00000003.409765695.000001EFB9E27000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.phpO
Source: wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.phpP
Source: wscript.exe, 0000000D.00000003.406308835.00000210EAA35000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.phph
Source: wscript.exe, 0000000D.00000003.427498683.00000210EAA35000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/key/license/gate.phpv
Source: wscript.exe, 00000001.00000003.469496295.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/l
Source: wscript.exe, 00000001.00000003.338726572.000001F792695000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com/zJH
Source: wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.375631367.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.334316047.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.php
Source: wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.337151756.00000210EAA0D000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpP
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpP4
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPJ
Source: wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPW
Source: wscript.exe, 00000001.00000003.318818802.000001F7926E1000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPa
Source: wscript.exe, 00000007.00000002.539429799.000002833858B000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPcY
Source: wscript.exe, 00000004.00000003.478595101.000001EFB9E3D000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPz
Source: wscript.exe, 00000004.00000003.315088682.000001EFB9E3D000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpW
Source: wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpp
Source: wscript.exe, 00000001.00000003.283704504.000001F7926E1000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpw
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpy
Source: wscript.exe, 00000001.00000003.434766513.000001F792675000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.467159682.00000210EAA82000.00000004.00000001.sdmp String found in binary or memory: https://waclickboost.com/

System Summary:

barindex
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Java / VBScript file with very long strings (likely obfuscated code)
Source: COVID_19_Test_Result_Doctor_Note.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal80.troj.evad.winJS@4/10@47/3
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js'
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Potential obfuscated javascript found
Source: COVID_19_Test_Result_Doctor_Note.js Initial file: High amount of function use 25

Boot Survival:

barindex
Drops script or batch files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_Note Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_Note Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6584 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6580 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6920 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6916 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5368 Thread sleep time: -150000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5364 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6404 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6404 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 0000000D.00000003.316921260.00000210EAA0D000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWP*
Source: wscript.exe, 00000001.00000003.284531161.000001F79267E000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.287766335.00000283363D2000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.406350357.00000210EAA4F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000004.00000003.269087910.000001EFB9DE2000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 172.67.178.142 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Network Connect: 104.21.48.50 80 Jump to behavior
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365159 Sample: COVID_19_Test_Result_Doctor... Startdate: 09/03/2021 Architecture: WINDOWS Score: 80 30 Sigma detected: Register Wscript In Run Key 2->30 32 Sigma detected: Drops script at startup location 2->32 34 Found C&C like URL pattern 2->34 36 2 other signatures 2->36 5 wscript.exe 2 2->5         started        10 wscript.exe 2 2->10         started        12 wscript.exe 2 5 2->12         started        14 wscript.exe 2 2->14         started        process3 dnsIp4 16 COVID_19_Test_Resu....js:Zone.Identifier, ASCII 5->16 dropped 18 C:\...\COVID_19_Test_Result_Doctor_Note.js, ASCII 5->18 dropped 38 System process connects to network (likely due to code injection or exploit) 5->38 24 192.168.2.1 unknown unknown 10->24 20 COVID_19_Test_Resu....js:Zone.Identifier, ASCII 10->20 dropped 22 C:\...\COVID_19_Test_Result_Doctor_Note.js, ASCII 10->22 dropped 26 adsclickboost.com 104.21.48.50, 49716, 49719, 49723 CLOUDFLARENETUS United States 12->26 28 172.67.178.142, 49717, 49736, 49751 CLOUDFLARENETUS United States 12->28 40 Drops script or batch files to the startup folder 12->40 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.48.50
 adsclickboost.com United States
13335 CLOUDFLARENETUS true
172.67.178.142
 unknown United States
13335 CLOUDFLARENETUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
adsclickboost.com 104.21.48.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://adsclickboost.com/key/license/gate.php true
  • Avira URL Cloud: safe
 unknown