File name: | 4367890.vbs |
Full analysis: | https://app.any.run/tasks/718edd74-57e1-4de9-b7b2-de0616269088 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 08:28:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | FDE6C67AEA146B55C1913F2A366298AB |
SHA1: | 1770B686E86C85EC67651FA71CA2D1A145E6468C |
SHA256: | 05B7BDDAB13B701AA80981AC648AD2946F89D557A81CE4CD90404F5551F30A5B |
SSDEEP: | 192:2D/+o4XMLoUNF4pfAwb8MSaVN8fItX7P61yOe8ss/tUnh/K2E:2LroUNSrSm2md5dQwtK2E |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3752 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\4367890.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2916 | "C:\Windows\system32\ntvdm.exe" -i1 | C:\Windows\system32\ntvdm.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 255 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3488 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\4367890.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4064 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\4367890.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3376 | "C:\Windows\system32\ntvdm.exe" -i2 | C:\Windows\system32\ntvdm.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2488 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\4367890.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
1816 | "C:\Windows\system32\ntvdm.exe" -i3 | C:\Windows\system32\ntvdm.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2972 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\4367890.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3720 | "C:\Windows\system32\ntvdm.exe" -i4 | C:\Windows\system32\ntvdm.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: NTVDM.EXE Exit code: 3221225786 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3700 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\4367890.vbs" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
(PID) Process: | (3488) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2156) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3108) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3484) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2224) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2252) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (916) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3808) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (4100) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (4812) WScript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2916 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsF751.tmp | — | |
MD5:— | SHA256:— | |||
2916 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsF752.tmp | — | |
MD5:— | SHA256:— | |||
3376 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs868.tmp | — | |
MD5:— | SHA256:— | |||
3376 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs869.tmp | — | |
MD5:— | SHA256:— | |||
1816 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsABA.tmp | — | |
MD5:— | SHA256:— | |||
1816 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scsACA.tmp | — | |
MD5:— | SHA256:— | |||
3700 | WScript.exe | C: | — | |
MD5:— | SHA256:— | |||
3164 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs19EC.tmp | — | |
MD5:— | SHA256:— | |||
3164 | ntvdm.exe | C:\Users\admin\AppData\Local\Temp\scs19FD.tmp | — | |
MD5:— | SHA256:— | |||
2976 | WScript.exe | C: | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3420 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://alemanautos.cl/audipromo.php | US | xml | 345 b | malicious |
3700 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://alemanautos.cl/audipromo.php | US | xml | 345 b | malicious |
2488 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://ajjtech.com/promote.php | US | xml | 345 b | malicious |
932 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://bjaoude.com/typical_solutions.php | US | xml | 345 b | malicious |
2952 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://ajjtech.com/promote.php | US | xml | 345 b | malicious |
656 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://aminvali.ca/FB_counterADC28675BA.php | US | xml | 345 b | malicious |
2976 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://amafest.net/festival_locations.php | US | xml | 345 b | malicious |
696 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://alphatronic.com.my/googleInvesigations_89DE113109AA.php | US | xml | 345 b | malicious |
796 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://bizcraftindia.com/taxReminder.php | US | xml | 345 b | malicious |
2972 | WScript.exe | GET | 404 | 67.23.226.159:80 | http://bjaoude.com/typical_solutions.php | US | xml | 345 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2972 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
3752 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
4064 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
3488 | WScript.exe | 67.23.226.159:443 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
3700 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
2488 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
2976 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
2924 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
— | — | 67.23.226.159:443 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
3572 | WScript.exe | 67.23.226.159:80 | bjaoude.com | HostDime.com, Inc. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
bjaoude.com |
| malicious |
www.algehr.org |
| malicious |
alemanautos.cl |
| malicious |
ajjtech.com |
| malicious |
amafest.net |
| malicious |
alphatronic.com.my |
| malicious |
alcartgroup.com |
| malicious |
bizcraftindia.com |
| malicious |
aminvali.ca |
| malicious |
alkalbany.net |
| suspicious |