Loading ...

Play interactive tourEdit tour

Analysis Report pQlSDfwyYkf.js

Overview

General Information

Sample Name:pQlSDfwyYkf.js
Analysis ID:381513
MD5:6cdad3b5ac021d3dbf0fb6159831cdce
SHA1:9e4ccf157808cabe397aca975accd69d79fa49a7
SHA256:ea00769d7f638847d6082f8a9d4493cd98041df6d713f06a3bcaf95ec8ac54fb
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Register Wscript In Run Key
System process connects to network (likely due to code injection or exploit)
Drops script or batch files to the startup folder
JavaScript source code contains functionality to check for AV products
JavaScript source code contains functionality to check for volume information
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
May check the online IP address of the machine
Performs DNS queries to domains with low reputation
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Wscript called in batch mode (surpress errors)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 2904 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\pQlSDfwyYkf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 7004 cmdline: 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 7104 cmdline: 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 4612 cmdline: 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 6404 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Drops script at startup locationShow sources
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 2904, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.js
Sigma detected: Register Wscript In Run KeyShow sources
Source: Registry Key setAuthor: Joe Security: Data: Details: WScript.exe //B "C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js", EventID: 13, Image: C:\Windows\System32\wscript.exe, ProcessId: 2904, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pQlSDfwyYkf

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
JavaScript source code contains functionality to check for AV productsShow sources
Source: pQlSDfwyYkf.jsReturn value : ['"select * from antivirusProd"', '"select * from antivirusProduc"', '"select * from antivirusProdu","c"', '"select * from antivirusPr"', '"select * from antivirusProduct",""', '"select * from antivirusProduct","wql",0', '"select * from antivirusPro","d"', '"select * from antivirusP","r"', '"select * from antivirus"', '"select * from antivirusProduct"']Go to definition
Source: unknownHTTPS traffic detected: 204.11.58.187:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: Binary string: scrrun.pdb source: wscript.exe, 00000013.00000002.503310743.000002118D1D0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496882216.00000214AC810000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500020123.0000021089070000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499115021.000002A35A430000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000013.00000002.496790684.000002118B6E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496190396.00000214AC780000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.499682939.0000021088FF0000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.498108525.000002A358C00000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000013.00000002.503434265.000002118D1E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498272126.00000214ACAB0000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510166079.000002108B650000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000013.00000002.496790684.000002118B6E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496190396.00000214AC780000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.499682939.0000021088FF0000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.498108525.000002A358C00000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000013.00000002.503434265.000002118D1E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498272126.00000214ACAB0000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510166079.000002108B650000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000013.00000002.503310743.000002118D1D0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496882216.00000214AC810000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500020123.0000021089070000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499115021.000002A35A430000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
JavaScript source code contains functionality to generate code involving a shell, file or streamShow sources
Source: pQlSDfwyYkf.jsArgument value : ['"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"Scripting.FileSystemObject"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"adodb.stream"', '"Scripting.FileSystemObject"', '"adodb.stream",""']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"adodb.stream"', '"Scripting.FileSystemObject"', '"adodb.stream",""']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"adodb.stream"', 'a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x7', '"a%b%c%d%e%f%g%h%i%Ex%j%k%l%m%n%o%p%q%r%s%t%u%v%w%x%y%z%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%', '"Scripting.FileSystemObject"', '"a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x', '"adodb.stream",""']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"WScript.shell"', 'a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"adodb.stream"', 'a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x7', '"a%b%c%d%e%f%g%h%i%Ex%j%k%l%m%n%o%p%q%r%s%t%u%v%w%x%y%z%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%', '"Scripting.FileSystemObject"', '"a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x', '"adodb.stream",""']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"WScript.shell"', 'a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', '"adodb.stream"', 'a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x7', '"a%b%c%d%e%f%g%h%i%Ex%j%k%l%m%n%o%p%q%r%s%t%u%v%w%x%y%z%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%', '"Scripting.FileSystemObject"', '"a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x', '"adodb.stream",""']Go to definition

Networking:

barindex
JavaScript source code contains functionality to generate code involving HTTP requests or file downloadsShow sources
Source: pQlSDfwyYkf.jsArgument value : ['"http://myip.dnsomatic.com/"', '"http://myip.dn","s"', '"http://","m"', '"http://myip.dnsomatic.","c"', '"http://m"', '"http://myip.dnsomatic.com/",""', '"http://myip.dnso","m"', '"http://myip.dnsomatic.co","m"', '"http://myip.dnsoma","t"', '"http://myip.dnsom"', '"http://myip.dnsomat"', '"http://myip.","d"', '"http://myip.dnsomatic"', '"http://my","ip"', '"http://myip.dnsomatic.com"', '"http://myip.dnsomatic.c"', '"http://myip.dns"', '"http://myip.d"', '"http://myip.dnsomati","c"', '"http://myip"']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['"user-agent:",""', '"user-agent:","Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0"', '"user-agent"', '"user-agent:"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"msxml2.xmlhttp.6.0"']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['"http://ip","-"', '"http://ip-api.com/j","s"', '"http://ip-ap"', '"http://ip-api.com","/"', '"http://"', '"http://ip-api","."', '"http://ip-api.com/json"', '"http://ip-api.com/js"', '"http://ip-a","p"', '"get","http://ip-api.com/json/",false', '"http://ip-api.com/json/",""', '"http://ip-api.c","o"', '"http://ip-api.com/json/"', '"http://ip-api."', '"http://ip-api.co"', '"http://ip-api.com/"', '"http://ip-"', '"http://ip-api.com/jso","n"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"msxml2.xmlhttp.6.0"', '"msxml2.xmlhttp.6.0",""', '"msxml2.xmlhttp","."', '"msxml2.xmlhttp.6."', '"msxml2.xmlhttp.6","."', '"msxml2.xmlhttp."']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"get","http://myip.dnsomatic.com/",false']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"msxml2.xmlhttp.6.0"', '"msxml2.xmlhttp.6.0",""', '"msxml2.xmlhttp","."', '"msxml2.xmlhttp.6."', '"msxml2.xmlhttp.6","."', '"msxml2.xmlhttp."']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', 'a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x7', '"a%b%c%d%e%f%g%h%i%Ex%j%k%l%m%n%o%p%q%r%s%t%u%v%w%x%y%z%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%', '"a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['"user-agent:",""', '"user-agent:","Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0"', '"user-agent"', '"user-agent:"']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['"http://ip","-"', '"http://ip-api.com/j","s"', '"http://ip-ap"', '"http://ip-api.com","/"', '"http://"', '"http://ip-api","."', '"http://ip-api.com/json"', '"http://ip-api.com/js"', '"http://ip-a","p"', '"get","http://ip-api.com/json/",false', '"http://ip-api.com/json/",""', '"http://ip-api.c","o"', '"http://ip-api.com/json/"', '"http://ip-api."', '"http://ip-api.co"', '"http://ip-api.com/"', '"http://ip-"', '"http://ip-api.com/jso","n"']Go to definition
Source: pQlSDfwyYkf.jsArgument value : ['"msxml2.xmlhttp.6.0"', '"msxml2.xmlhttp.6.0",""', '"msxml2.xmlhttp","."', '"msxml2.xmlhttp.6."', '"msxml2.xmlhttp.6","."', '"msxml2.xmlhttp."']Go to definition
May check the online IP address of the machineShow sources
Source: C:\Windows\System32\wscript.exeDNS query: name: ip-api.com
Source: C:\Windows\System32\wscript.exeDNS query: name: myip.dnsomatic.com
Source: C:\Windows\System32\wscript.exeDNS query: name: myip.dnsomatic.com
Source: unknownDNS query: name: ip-api.com
Source: unknownDNS query: name: ip-api.com
Source: unknownDNS query: name: myip.dnsomatic.com
Source: unknownDNS query: name: myip.dnsomatic.com
Source: unknownDNS query: name: myip.dnsomatic.com
Source: unknownDNS query: name: myip.dnsomatic.com
Source: unknownDNS query: name: myip.dnsomatic.com
Source: unknownDNS query: name: myip.dnsomatic.com
Performs DNS queries to domains with low reputationShow sources
Source: C:\Windows\System32\wscript.exeDNS query: barbraovich.xyz
Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Accept: */*user-agent: Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Accept: */*user-agent: Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Accept: */*user-agent: Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Accept: */*user-agent: Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Accept: */*user-agent: Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Accept: */*user-agent: Mozilla/5.0 (Windows NT 6.1; rv:81.0) Gecko/20100101 Firefox/81.0Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myip.dnsomatic.comConnection: Keep-Alive
Source: unknownDNS traffic detected: queries for: ip-api.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 204.11.58.187:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary:

barindex
Wscript called in batch mode (surpress errors)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js'
Source: pQlSDfwyYkf.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal100.troj.evad.winJS@5/5@8/3
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FMJump to behavior
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Process
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\pQlSDfwyYkf.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\WScript.exe' //B 'C:\Users\user\AppData\Roaming\pQlSDfwyYkf.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.js'
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: Binary string: scrrun.pdb source: wscript.exe, 00000013.00000002.503310743.000002118D1D0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496882216.00000214AC810000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500020123.0000021089070000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499115021.000002A35A430000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000013.00000002.496790684.000002118B6E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496190396.00000214AC780000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.499682939.0000021088FF0000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.498108525.000002A358C00000.00000002.00000001.sdmp
Source: Binary string: wshom.pdbUGP source: wscript.exe, 00000013.00000002.503434265.000002118D1E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498272126.00000214ACAB0000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510166079.000002108B650000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000013.00000002.496790684.000002118B6E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496190396.00000214AC780000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.499682939.0000021088FF0000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.498108525.000002A358C00000.00000002.00000001.sdmp
Source: Binary string: wshom.pdb source: wscript.exe, 00000013.00000002.503434265.000002118D1E0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498272126.00000214ACAB0000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510166079.000002108B650000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000013.00000002.503310743.000002118D1D0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.496882216.00000214AC810000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500020123.0000021089070000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499115021.000002A35A430000.00000002.00000001.sdmp

Boot Survival:

barindex
Drops script or batch files to the startup folderShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.jsJump to dropped file
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.jsJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.js\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQlSDfwyYkf.js\:Zone.Identifier:$DATAJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pQlSDfwyYkfJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pQlSDfwyYkfJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pQlSDfwyYkfJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run pQlSDfwyYkfJump to behavior
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
JavaScript source code contains functionality to check for volume informationShow sources
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W']Go to definition
Source: pQlSDfwyYkf.jsReturn value : ['a,b,c,d,e,f,g,h,i,Ex,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W', 'a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x7', '"a%b%c%d%e%f%g%h%i%Ex%j%k%l%m%n%o%p%q%r%s%t%u%v%w%x%y%z%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%', '"a\\x7fb\\x7fc\\x7fd\\x7fe\\x7ff\\x7fg\\x7fh\\x7fi\\x7fEx\\x7fj\\x7fk\\x7fl\\x7fm\\x7fn\\x7fo\\x7fp\\x7fq\\x7fr\\x7fs\\x']Go to definition
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_NetworkAdapterConfiguration where ipenabled=true
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_NetworkAdapterConfiguration where ipenabled=true
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_LogicalDisk
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_VideoController
Source: C:\Windows\System32\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystemProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystem
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_ComputerSystem
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_Processor
Source: wscript.exe, 00000013.00000002.513384457.000002118DFF0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.511766834.00000214AEF20000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510343378.000002108B670000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.512388419.000002A35B3A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000013.00000002.506760598.000002118D5C0000.00000004.00000001.sdmpBinary or memory string: VMware, Inc.
Source: wscript.exe, 00000013.00000002.506760598.000002118D5C0000.00000004.00000001.sdmpBinary or memory string: stringComputer System ProductComputer System ProductO7Z41U32BB3542-7533-27D2-5200-3CE24BD43271VMware, Inc.None
Source: wscript.exe, 00000013.00000002.513384457.000002118DFF0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.511766834.00000214AEF20000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510343378.000002108B670000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.512388419.000002A35B3A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000013.00000002.513384457.000002118DFF0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.511766834.00000214AEF20000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510343378.000002108B670000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.512388419.000002A35B3A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000013.00000002.506760598.000002118D5C0000.00000004.00000001.sdmp, wscript.exe, 00000014.00000002.506425743.00000214AE6EA000.00000004.00000001.sdmp, wscript.exe, 00000019.00000002.505723056.000002108AE17000.00000004.00000001.sdmp, wscript.exe, 0000001A.00000002.506936478.000002A35AA87000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000013.00000002.506760598.000002118D5C0000.00000004.00000001.sdmpBinary or memory string: stringComputer System ProductComputer System ProductO7Z41U32BB3542-7533-27D2-5200-3CE24BD43271VMware, Inc.Noney*
Source: wscript.exe, 00000013.00000002.513384457.000002118DFF0000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.511766834.00000214AEF20000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.510343378.000002108B670000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.512388419.000002A35B3A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 204.11.58.187 187Jump to behavior
Source: C:\Windows\System32\wscript.exeDomain query: myip.dnsomatic.com
Source: C:\Windows\System32\wscript.exeDomain query: barbraovich.xyz
Source: C:\Windows\System32\wscript.exeNetwork Connect: 146.112.255.205 80Jump to behavior
Source: C:\Windows\System32\wscript.exeNetwork Connect: 208.95.112.1 80Jump to behavior
Source: C:\Windows\System32\wscript.exeDomain query: ip-api.com
Source: wscript.exe, 00000013.00000002.501949090.000002118BC90000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498764613.00000214ACD10000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500298027.0000021089440000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499025073.000002A359010000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000013.00000002.501949090.000002118BC90000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498764613.00000214ACD10000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500298027.0000021089440000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499025073.000002A359010000.00000002.00000001.sdmpBinary or memory string: Progman
Source: wscript.exe, 00000013.00000002.501949090.000002118BC90000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498764613.00000214ACD10000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500298027.0000021089440000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499025073.000002A359010000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: wscript.exe, 00000013.00000002.501949090.000002118BC90000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498764613.00000214ACD10000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500298027.0000021089440000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499025073.000002A359010000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: wscript.exe, 00000013.00000002.501949090.000002118BC90000.00000002.00000001.sdmp, wscript.exe, 00000014.00000002.498764613.00000214ACD10000.00000002.00000001.sdmp, wscript.exe, 00000019.00000002.500298027.0000021089440000.00000002.00000001.sdmp, wscript.exe, 0000001A.00000002.499025073.000002A359010000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusProduct

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation331Startup Items1Startup Items1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting62Registry Run Keys / Startup Folder21Process Injection12Virtualization/Sandbox Evasion23LSASS MemorySecurity Software Discovery441Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder21Process Injection12Security Account ManagerVirtualization/Sandbox Evasion23SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting62NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files