Source: unknown |
HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49757 version: TLS 1.2 |
Source: global traffic |
HTTP traffic detected: GET /static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: codepoints.netConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: codepoints.net |
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt |
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0 |
Source: wget.exe, 00000002.00000002.640905312.0000000000B40000.00000004.00000020.sdmp, cmdline.out.2.dr |
String found in binary or memory: http://codepoints.net/static/js/codepoint.js |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl |
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07 |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl |
Source: wget.exe, 00000002.00000002.641324998.0000000002CF2000.00000004.00000001.sdmp |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl |
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com |
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: wget.exe, 00000002.00000002.641324998.0000000002CF2000.00000004.00000001.sdmp |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: cmdline.out.2.dr |
String found in binary or memory: https://codepoints.net/static/js/codepoint.js |
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp |
String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct |
Source: wscript.exe, 00000004.00000003.644926297.000001E10A792000.00000004.00000001.sdmp |
String found in binary or memory: https://use.typekit.net |
Source: wscript.exe, 00000004.00000003.645147006.000001E10A7DB000.00000004.00000001.sdmp |
String found in binary or memory: https://use.typekit.net:G |
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp |
String found in binary or memory: https://www.digicert.com/CPS0 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49757 version: TLS 1.2 |
Source: classification engine |
Classification label: clean1.win@5/3@1/2 |
Source: C:\Windows\SysWOW64\cmd.exe |
File created: C:\Users\user\Desktop\cmdline.out |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01 |
Source: C:\Windows\SysWOW64\wget.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047' > cmdline.out 2>&1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047' |
|
Source: unknown |
Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\download\codepoint.js!3c67217e710120291b75e8c13546e320@_=1618365050047.js' |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047' |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Automated click: OK |
Source: C:\Windows\System32\wscript.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB08CF push cs; retf |
2_2_02CB08E6 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB0A4F push cs; retf |
2_2_02CB0A66 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB03D7 push eax; retf |
2_2_02CB0406 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB0B6F push ds; retf |
2_2_02CB0B86 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB047F push es; retf |
2_2_02CB050E |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB0C77 pushad ; retf |
2_2_02CB0CA6 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB050F push ds; retf |
2_2_02CB059E |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB0107 push ss; retf |
2_2_02CB011E |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB0197 push cs; retf |
2_2_02CB01C6 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB04AF push es; retf |
2_2_02CB050E |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB0C2F push eax; retf |
2_2_02CB0C76 |
Source: C:\Windows\SysWOW64\wget.exe |
Code function: 2_2_02CB06BF pushad ; retf |
2_2_02CB06D6 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Queries volume information: C:\Users\user\Desktop\download VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\wget.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |