Click to jump to signature section
Source: wscript.exe, 00000000.00000003.1780321005.00000162F9C6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1780609757.00000162F9C70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779657602.00000162F9C5F000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/ |
Source: wscript.exe, 00000000.00000003.1779588604.00000162F9CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779526252.00000162F9C71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779888432.00000162F9CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684101104.00000162FB9D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779341162.00000162FB9EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779773435.00000162FBB41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1780624337.00000162F9CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1780089472.00000162F9CAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1780801603.00000162FBAE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779727190.00000162FB9EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779421296.00000162FBB42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684159276.00000162FB9EF000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.s |
Source: wscript.exe, 00000000.00000003.1779421296.00000162FBB42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779773435.00000162FBAE1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684159276.00000162FB9EF000.00000004.00000020.00020000.00000000.sdmp, jsv.js | String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef. |
Source: wscript.exe, 00000000.00000003.1779588604.00000162F9CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779526252.00000162F9C71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684101104.00000162FB9D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1683707906.00000162FB9F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779297875.00000162FBB71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779483421.00000162F9CFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779421296.00000162FBB42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779773435.00000162FBAE1000.00000004.00000020.00020000.00000000.sdmp, jsv.js | String found in binary or memory: https://aadcdn.msauth.net/shared/1.0/content/images/picker_verify_sms_12b7d768ba76f2e782cc74e3281710 |
Source: wscript.exe, 00000000.00000003.1779773435.00000162FBB9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779421296.00000162FBB9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1780801603.00000162FBB9E000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/appbackgrounds/49_6ffe0a92d779c878835b40171ffc |
Source: wscript.exe, 00000000.00000003.1779588604.00000162F9CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779526252.00000162F9C71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684101104.00000162FB9D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1683707906.00000162FB9F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779773435.00000162FBAE1000.00000004.00000020.00020000.00000000.sdmp, jsv.js | String found in binary or memory: https://google.com |
Source: wscript.exe, 00000000.00000003.1779588604.00000162F9CBB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779526252.00000162F9C71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1684101104.00000162FB9D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1683707906.00000162FB9F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779297875.00000162FBB71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779483421.00000162F9CFA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779421296.00000162FBB42000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1779773435.00000162FBAE1000.00000004.00000020.00020000.00000000.sdmp, jsv.js | String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_7cc096da6aa2dba3f81fcc1c8262157c.pn |
Source: jsv.js | String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.sv |
Source: wscript.exe, 00000000.00000003.1684101104.00000162FB9D2000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://softwarereviews.s3.amazonaws.com/production/favicons/offerings/3117/original/Sharepoint_icon |
Source: jsv.js | Initial sample: Strings found which are bigger than 50 |
Source: classification engine | Classification label: sus22.winJS@1/0@0/0 |
Source: C:\Windows\System32\wscript.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: jscript.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: iertutil.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: msisip.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wshext.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: scrobj.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |