Loading ...

Play interactive tourEdit tour

Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Sample Name:COVID_19_Test_Result_Doctor_Note.js
Analysis ID:365159
MD5:0bca3422ec870f28791d61a4fa25367f
SHA1:36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256:7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
Infos:

Most interesting Screenshot:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
System process connects to network (likely due to code injection or exploit)
Drops script or batch files to the startup folder
Found C&C like URL pattern
Potential obfuscated javascript found
Wscript called in batch mode (surpress errors)
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 6868 cmdline: 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5564 cmdline: 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 4528 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Drops script at startup locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 6540, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Sigma detected: Register Wscript In Run KeyShow sources
Source: Registry Key setAuthor: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js", EventID: 13, Image: C:\Windows\System32\wscript.exe, ProcessId: 6540, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\COVID_19_Test_Result_Doctor_Note

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

barindex
Binary contains paths to debug symbolsShow sources
Source: Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp

Networking:

barindex
Found C&C like URL patternShow sources
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global trafficHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: unknownDNS traffic detected: queries for: adsclickboost.com
Source: unknownHTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.269140453.000001EFB9E01000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511576753.00000210EAA81000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381608799.00000210E873B000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.317168248.00000210EAA1D000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/
Source: wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/1
Source: wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/12J
Source: wscript.exe, 00000004.00000003.369629621.000001EFB9E34000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/9
Source: wscript.exe, 00000001.00000003.318917408.000001F79268C000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/9aL
Source: wscript.exe, 00000001.00000003.232143310.000001F792695000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/RJ0
Source: wscript.exe, 00000004.00000003.297771553.000001EFB9E34000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/U
Source: wscript.exe, 00000004.00000003.390681019.000001EFB9E34000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/e
Source: wscript.exe, 00000001.00000003.338715180.000001F79268C000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/er
Source: wscript.exe, 00000001.00000003.434803794.000001F79268C000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/h
Source: wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/i
Source: wscript.exe, 00000001.00000003.376049468.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.338793569.000001F7926C9000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.360741823.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.435333564.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.323048900.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.259095669.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.302684036.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000004.00000002.523177555.000001EFB7635000.00000004.00000040.sdmp, wscript.exe, 00000004.00000002.580871645.000001EFB9615000.00000004.00000040.sdmp, wscript.exe, 00000004.00000003.390662408.000001EFB9E27000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.478419114.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.390596358.0000028337CCD000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.291467055.0000028337CD0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.311074066.0000028337CD0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.285395106.0000028337D35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.448723497.00000210EA490000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.466963962.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.387548104.00000210EA483000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.340690093.00000210EA483000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.430918597.00000210EA483000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php
Source: wscript.exe, 0000000D.00000002.511362675.00000210EA9F5000.00000004.00000040.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php&
Source: wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php.
Source: wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php/
Source: wscript.exe, 00000001.00000003.469238846.000001F792675000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php0DUq1z
Source: wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php12J
Source: wscript.exe, 00000007.00000002.539288266.0000028338535000.00000004.00000040.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php4
Source: wscript.exe, 0000000D.00000002.491234203.00000210E86A1000.00000004.00000020.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php4d%2fID_19_Test_Result_Doctor_Note.js
Source: wscript.exe, 00000004.00000002.488743713.000001EFB7372000.00000004.00000020.sdmp, wscript.exe, 00000007.00000002.522239743.0000028336342000.00000004.00000020.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php4d%2fb
Source: wscript.exe, 00000001.00000003.416757833.000001F7926AA000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.php;
Source: wscript.exe, 0000000D.00000003.337246961.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381444898.00000210EAA35000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.phpB
Source: wscript.exe, 00000004.00000003.409765695.000001EFB9E27000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.phpO
Source: wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.phpP
Source: wscript.exe, 0000000D.00000003.406308835.00000210EAA35000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.phph
Source: wscript.exe, 0000000D.00000003.427498683.00000210EAA35000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/key/license/gate.phpv
Source: wscript.exe, 00000001.00000003.469496295.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/l
Source: wscript.exe, 00000001.00000003.338726572.000001F792695000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com/zJH
Source: wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.375631367.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.334316047.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.php
Source: wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.337151756.00000210EAA0D000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpP
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpP4
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPJ
Source: wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPW
Source: wscript.exe, 00000001.00000003.318818802.000001F7926E1000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPa
Source: wscript.exe, 00000007.00000002.539429799.000002833858B000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPcY
Source: wscript.exe, 00000004.00000003.478595101.000001EFB9E3D000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPz
Source: wscript.exe, 00000004.00000003.315088682.000001EFB9E3D000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpW
Source: wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpp
Source: wscript.exe, 00000001.00000003.283704504.000001F7926E1000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpw
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmpString found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpy
Source: wscript.exe, 00000001.00000003.434766513.000001F792675000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.467159682.00000210EAA82000.00000004.00000001.sdmpString found in binary or memory: https://waclickboost.com/

System Summary:

barindex
Wscript called in batch mode (surpress errors)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: COVID_19_Test_Result_Doctor_Note.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal80.troj.evad.winJS@4/10@47/3
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js'
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Potential obfuscated javascript foundShow sources
Source: COVID_19_Test_Result_Doctor_Note.jsInitial file: High amount of function use 25

Boot Survival:

barindex
Drops script or batch files to the startup folderShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.jsJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_NoteJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_NoteJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6584Thread sleep time: -150000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6580Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6920Thread sleep time: -180000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6916Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5368Thread sleep time: -150000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5364Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6404Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6404Thread sleep time: -120000s >= -30000sJump to behavior
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 0000000D.00000003.316921260.00000210EAA0D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP*
Source: wscript.exe, 00000001.00000003.284531161.000001F79267E000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.287766335.00000283363D2000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.406350357.00000210EAA4F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000004.00000003.269087910.000001EFB9DE2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 172.67.178.142 80Jump to behavior
Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.21.48.50 80Jump to behavior
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Startup Items1Startup Items1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder21Process Injection12Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol112Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder21Process Injection12Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting32NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365159