Loading ...

Play interactive tourEdit tour

Analysis Report Capasw32.dll

Overview

General Information

Sample Name:Capasw32.dll
MD5:e0d37750f9b4118deafbdf03ae023684
SHA1:5f32b33a20d466da8a727eb3f29bd702d2653cef
SHA256:d723bf8324e58a9d88aaa5601d990b4ce9d825c8f91f2d2c04c77dadc3302036

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites Mozilla Firefox settings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses nslookup.exe to query domains
Writes to foreign memory regions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Rundll32 Activity
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5304 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Capasw32.dll' MD5: 506F23F79C4B7C36FC812FB3C6900770)
    • rundll32.exe (PID: 4232 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Capasw32.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 5988 cmdline: C:\Windows\system32\control.exe /? MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
        • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
          • rundll32.exe (PID: 4380 cmdline: 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Authtenc\atmftstr.dll',DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
          • cmd.exe (PID: 5204 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\CBA0.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • nslookup.exe (PID: 6140 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
          • cmd.exe (PID: 2776 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\CBA0.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
            • conhost.exe (PID: 4348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4548 cmdline: 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • rundll32.exe (PID: 5372 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /? MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 2448 cmdline: rundll32.exe C:\Users\user\Desktop\Capasw32.dll,Bonewomen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3532 cmdline: rundll32.exe C:\Users\user\Desktop\Capasw32.dll,Noteduck MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000000E.00000003.976174203.000001DDC5EF0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 10 entries

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe /?, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 5988, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?, ProcessId: 5372

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for domain / URLShow sources
            Source: lissavets.atVirustotal: Detection: 8%Perma Link
            Source: tahhir.atVirustotal: Detection: 7%Perma Link
            Source: limpopo.atVirustotal: Detection: 10%Perma Link
            Source: http://lissavets.atVirustotal: Detection: 8%Perma Link
            Source: http://estate-advice.atVirustotal: Detection: 11%Perma Link
            Source: http://limpopo.atVirustotal: Detection: 10%Perma Link
            Source: http://tahhir.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: Capasw32.dllVirustotal: Detection: 48%Perma Link

            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41C28 CreateFileA,GetFileTime,FindCloseChangeNotification,LdrInitializeThunk,StrRChrA,KiUserExceptionDispatcher,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00C41C28

            Networking:

            barindex
            Found Tor onion addressShow sources
            Source: control.exe, 0000000B.00000003.975151125.000001BF4F8DC000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: control.exe, 0000000B.00000003.975151125.000001BF4F8DC000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advice.atw
            Source: control.exe, 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 0000000D.00000002.1206447428.000001F4EBF00000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.at
            Source: RuntimeBroker.exe, 0000000D.00000002.1206447428.000001F4EBF00000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org10google.com file://%appdata%/system32.dllgoogle.com file://%appdata%/system64.dllcurlmyip.net12Gu9foUnsY506KSJ13030030030030030010305160
            Source: RuntimeBroker.exe, 0000000D.00000002.1206447428.000001F4EBF00000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: RuntimeBroker.exe, 0000000D.00000002.1206447428.000001F4EBF00000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advice.at
            Source: rundll32.exe, 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: rundll32.exe, 0000000E.00000002.977912943.000001DDC66FC000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.at
            Source: rundll32.exe, 0000000E.00000002.977912943.000001DDC66FC000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org10google.com file://%appdata%/system32.dllgoogle.com file://%appdata%/system64.dllcurlmyip.net12Gu9foUnsY506KSJ13030030030030030010305160+
            Source: rundll32.exe, 0000000E.00000002.977912943.000001DDC66FC000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: rundll32.exe, 0000000E.00000002.977912943.000001DDC66FC000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advice.at*
            Source: RuntimeBroker.exe, 0000000F.00000002.1203315258.000001E983500000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.at
            Source: RuntimeBroker.exe, 0000000F.00000002.1203315258.000001E983500000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org10google.com file://%appdata%/system32.dllgoogle.com file://%appdata%/system64.dllcurlmyip.net12Gu9foUnsY506KSJ13030030030030030010305160
            Source: RuntimeBroker.exe, 0000000F.00000002.1203315258.000001E983500000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: RuntimeBroker.exe, 0000000F.00000002.1203315258.000001E983500000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advice.at
            Source: RuntimeBroker.exe, 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            Source: RuntimeBroker.exe, 00000010.00000002.1205757990.0000021B28400000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.at
            Source: RuntimeBroker.exe, 00000010.00000002.1205757990.0000021B28400000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org10google.com file://%appdata%/system32.dllgoogle.com file://%appdata%/system64.dllcurlmyip.net12Gu9foUnsY506KSJ13030030030030030010305160
            Source: RuntimeBroker.exe, 00000010.00000002.1205757990.0000021B28400000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: RuntimeBroker.exe, 00000010.00000002.1205757990.0000021B28400000.00000004.00000001.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advice.at
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.at
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion http://lissavets.at http://tahhir.at http://limpopo.at http://estate-advice.atconstitution.org/usdeclar.txt0x4eb7d2cacom ru org10google.com file://%appdata%/system32.dllgoogle.com file://%appdata%/system64.dllcurlmyip.net12Gu9foUnsY506KSJ13030030030030030010305160
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advice.at
            Source: rundll32.exe, 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
            May check the online IP address of the machineShow sources
            Source: unknownDNS query: name: myip.opendns.com
            Source: unknownDNS query: name: myip.opendns.com
            Uses nslookup.exe to query domainsShow sources
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: unknownDNS traffic detected: queries for: resolver1.opendns.com
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onion
            Source: control.exe, 0000000B.00000003.975151125.000001BF4F8DC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000000D.00000002.1206447428.000001F4EBF00000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.977912943.000001DDC66FC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000000F.00000002.1203315258.000001E983500000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1205757990.0000021B28400000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://aaxvkah7dudzoloq.onionhttp://lissavets.athttp://tahhir.athttp://limpopo.athttp://estate-advic
            Source: control.exe, 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: control.exe, 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://estate-advice.at
            Source: RuntimeBroker.exe, 0000000D.00000002.1206447428.000001F4EBF00000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.977912943.000001DDC66FC000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000000F.00000002.1203315258.000001E983500000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1205757990.0000021B28400000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://estate-advice.atconstitution.org/usdeclar.txt0x4eb7d2cacom
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: control.exe, 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://limpopo.at
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://lissavets.at
            Source: rundll32.exe, 00000011.00000002.1027872768.000002459B79C000.00000004.00000040.sdmpString found in binary or memory: http://tahhir.at
            Source: explorer.exe, 0000000C.00000000.937389570.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: RuntimeBroker.exe, 00000010.00000000.990272452.0000021B25ADF000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/favicon.ico
            Source: RuntimeBroker.exe, 00000010.00000000.990272452.0000021B25ADF000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/site/autoit/
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/setprefdomain?prefdom=GB&prev=http://www.google.co.uk/&sig=K_PFGtV9EFL
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: RuntimeBroker.exe, 00000010.00000002.1200197788.0000021B25A51000.00000004.00000001.sdmpString found in binary or memory: http://www.regsofts.com/free_registry_repair/registry_repair.htm
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 0000000C.00000000.966370629.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: https://plusone.google.com/u/0
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/hpp/logo-myaccount-callout-68px.png
            Source: explorer.exe, 0000000C.00000003.980485500.000000000E2AB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url?q=https://myactivity.google.com/myactivity%3Frestrict%3Dwaa%26utm_source%
            Source: RuntimeBroker.exe, 00000010.00000002.1200441129.0000021B25A86000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/
            Source: RuntimeBroker.exe, 00000010.00000002.1200441129.0000021B25A86000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/c

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.976174203.000001DDC5EF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.976935491.000000000076F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1027234551.000002459B11F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4380, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3524, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.976174203.000001DDC5EF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.976935491.000000000076F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1027234551.000002459B11F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4380, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3524, type: MEMORY
            Disables SPDY (HTTP compression, likely to perform web injects)Show sources
            Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior

            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41ED9 NtQuerySystemInformation,RtlNtStatusToDosError,1_2_00C41ED9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C438F5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,1_2_00C438F5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C44F90 NtMapViewOfSection,RtlNtStatusToDosError,1_2_00C44F90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41F9F GetProcAddress,NtWow64ReadVirtualMemory64,1_2_00C41F9F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C44DB0 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00C44DB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41F4F NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_00C41F4F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C43A5C memcpy,LdrInitializeThunk,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,1_2_00C43A5C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41000 GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,LdrInitializeThunk,1_2_00C41000
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C42D21 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,1_2_00C42D21
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C4436C memset,LdrInitializeThunk,NtQueryInformationProcess,1_2_00C4436C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C4567C NtGetContextThread,1_2_00C4567C
            Source: C:\Windows\System32\control.exeCode function: 11_2_007542E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,11_2_007542E0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075D2C8 NtAllocateVirtualMemory,11_2_0075D2C8
            Source: C:\Windows\System32\control.exeCode function: 11_2_007423E4 NtMapViewOfSection,11_2_007423E4
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075D67C NtQueryInformationProcess,11_2_0075D67C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073CE6C NtWriteVirtualMemory,11_2_0073CE6C
            Source: C:\Windows\System32\control.exeCode function: 11_2_00745718 NtReadVirtualMemory,11_2_00745718
            Source: C:\Windows\System32\control.exeCode function: 11_2_00733FC0 RtlAllocateHeap,NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,11_2_00733FC0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075C7A8 NtSetContextThread,11_2_0075C7A8
            Source: C:\Windows\System32\control.exeCode function: 11_2_00737F90 NtQueryInformationProcess,11_2_00737F90
            Source: C:\Windows\System32\control.exeCode function: 11_2_0077200A NtProtectVirtualMemory,NtProtectVirtualMemory,11_2_0077200A
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F42E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,14_2_000001DDC60F42E0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D7F90 NtQueryInformationProcess,14_2_000001DDC60D7F90
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC611200A NtProtectVirtualMemory,NtProtectVirtualMemory,14_2_000001DDC611200A
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B1042E0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,17_2_000002459B1042E0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E7F90 NtQueryInformationProcess,17_2_000002459B0E7F90
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B12200A NtProtectVirtualMemory,NtProtectVirtualMemory,17_2_000002459B12200A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C456C81_2_00C456C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20D54F1_2_6D20D54F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20DF5A1_2_6D20DF5A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20D8901_2_6D20D890
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D2273901_2_6D227390
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D2173EE1_2_6D2173EE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D216A6D1_2_6D216A6D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D2152D71_2_6D2152D7
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075805011_2_00758050
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073E6D811_2_0073E6D8
            Source: C:\Windows\System32\control.exeCode function: 11_2_00733FC011_2_00733FC0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073B04C11_2_0073B04C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075501C11_2_0075501C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073B8E411_2_0073B8E4
            Source: C:\Windows\System32\control.exeCode function: 11_2_0074617C11_2_0074617C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073693411_2_00736934
            Source: C:\Windows\System32\control.exeCode function: 11_2_0074593C11_2_0074593C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075F1C011_2_0075F1C0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073C1CC11_2_0073C1CC
            Source: C:\Windows\System32\control.exeCode function: 11_2_007521B411_2_007521B4
            Source: C:\Windows\System32\control.exeCode function: 11_2_0074323411_2_00743234
            Source: C:\Windows\System32\control.exeCode function: 11_2_0074E21011_2_0074E210
            Source: C:\Windows\System32\control.exeCode function: 11_2_0074AA1811_2_0074AA18
            Source: C:\Windows\System32\control.exeCode function: 11_2_007382D811_2_007382D8
            Source: C:\Windows\System32\control.exeCode function: 11_2_00740A9C11_2_00740A9C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075629C11_2_0075629C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075931411_2_00759314
            Source: C:\Windows\System32\control.exeCode function: 11_2_00743B0811_2_00743B08
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075DBC011_2_0075DBC0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073738411_2_00737384
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073B46C11_2_0073B46C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075ACF011_2_0075ACF0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075CCE811_2_0075CCE8
            Source: C:\Windows\System32\control.exeCode function: 11_2_007564B411_2_007564B4
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075756811_2_00757568
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073653C11_2_0073653C
            Source: C:\Windows\System32\control.exeCode function: 11_2_00758DB811_2_00758DB8
            Source: C:\Windows\System32\control.exeCode function: 11_2_00736D9411_2_00736D94
            Source: C:\Windows\System32\control.exeCode function: 11_2_0075B66C11_2_0075B66C
            Source: C:\Windows\System32\control.exeCode function: 11_2_00732E5C11_2_00732E5C
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073AE2C11_2_0073AE2C
            Source: C:\Windows\System32\control.exeCode function: 11_2_007406F811_2_007406F8
            Source: C:\Windows\System32\control.exeCode function: 11_2_007446D011_2_007446D0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073D6D811_2_0073D6D8
            Source: C:\Windows\System32\control.exeCode function: 11_2_00756EC011_2_00756EC0
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073CEBC11_2_0073CEBC
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073568411_2_00735684
            Source: C:\Windows\System32\control.exeCode function: 11_2_00737FFC11_2_00737FFC
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073F7E411_2_0073F7E4
            Source: C:\Windows\System32\control.exeCode function: 11_2_00747FE811_2_00747FE8
            Source: C:\Windows\System32\control.exeCode function: 11_2_007377A811_2_007377A8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F805014_2_000001DDC60F8050
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DE6D814_2_000001DDC60DE6D8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DB46C14_2_000001DDC60DB46C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F64B414_2_000001DDC60F64B4
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60FCCE814_2_000001DDC60FCCE8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60FACF014_2_000001DDC60FACF0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D653C14_2_000001DDC60D653C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F756814_2_000001DDC60F7568
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D6D9414_2_000001DDC60D6D94
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F8DB814_2_000001DDC60F8DB8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DAE2C14_2_000001DDC60DAE2C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F629C14_2_000001DDC60F629C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E0A9C14_2_000001DDC60E0A9C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D82D814_2_000001DDC60D82D8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E3B0814_2_000001DDC60E3B08
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F931414_2_000001DDC60F9314
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D738414_2_000001DDC60D7384
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60FDBC014_2_000001DDC60FDBC0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DB04C14_2_000001DDC60DB04C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DB8E414_2_000001DDC60DB8E4
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E593C14_2_000001DDC60E593C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D693414_2_000001DDC60D6934
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E617C14_2_000001DDC60E617C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F21B414_2_000001DDC60F21B4
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DC1CC14_2_000001DDC60DC1CC
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60FF1C014_2_000001DDC60FF1C0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60EAA1814_2_000001DDC60EAA18
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60EE21014_2_000001DDC60EE210
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E323414_2_000001DDC60E3234
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D2E5C14_2_000001DDC60D2E5C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60FB66C14_2_000001DDC60FB66C
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D568414_2_000001DDC60D5684
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DCEBC14_2_000001DDC60DCEBC
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F6EC014_2_000001DDC60F6EC0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DD6D814_2_000001DDC60DD6D8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E46D014_2_000001DDC60E46D0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E06F814_2_000001DDC60E06F8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D77A814_2_000001DDC60D77A8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D3FC014_2_000001DDC60D3FC0
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60E7FE814_2_000001DDC60E7FE8
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60DF7E414_2_000001DDC60DF7E4
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60D7FFC14_2_000001DDC60D7FFC
            Source: C:\Windows\System32\rundll32.exeCode function: 14_2_000001DDC60F501C14_2_000001DDC60F501C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10805017_2_000002459B108050
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EE6D817_2_000002459B0EE6D8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B1064B417_2_000002459B1064B4
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10CCE817_2_000002459B10CCE8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10ACF017_2_000002459B10ACF0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E653C17_2_000002459B0E653C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10756817_2_000002459B107568
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E6D9417_2_000002459B0E6D94
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10DBC017_2_000002459B10DBC0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EB46C17_2_000002459B0EB46C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E82D817_2_000002459B0E82D8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F3B0817_2_000002459B0F3B08
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10931417_2_000002459B109314
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E738417_2_000002459B0E7384
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10F1C017_2_000002459B10F1C0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B1021B417_2_000002459B1021B4
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EC1CC17_2_000002459B0EC1CC
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0FE21017_2_000002459B0FE210
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0FAA1817_2_000002459B0FAA18
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F323417_2_000002459B0F3234
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10629C17_2_000002459B10629C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F0A9C17_2_000002459B0F0A9C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EB8E417_2_000002459B0EB8E4
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E693417_2_000002459B0E6934
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F593C17_2_000002459B0F593C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F617C17_2_000002459B0F617C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E77A817_2_000002459B0E77A8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E3FC017_2_000002459B0E3FC0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EF7E417_2_000002459B0EF7E4
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F7FE817_2_000002459B0F7FE8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E7FFC17_2_000002459B0E7FFC
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10501C17_2_000002459B10501C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EB04C17_2_000002459B0EB04C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B106EC017_2_000002459B106EC0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0ECEBC17_2_000002459B0ECEBC
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F46D017_2_000002459B0F46D0
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0ED6D817_2_000002459B0ED6D8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0F06F817_2_000002459B0F06F8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B108DB817_2_000002459B108DB8
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0EAE2C17_2_000002459B0EAE2C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E2E5C17_2_000002459B0E2E5C
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B0E568417_2_000002459B0E5684
            Source: C:\Windows\System32\rundll32.exeCode function: 17_2_000002459B10B66C17_2_000002459B10B66C
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: Capasw32.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winDLL@24/9@16/0
            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AuthtencJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4348:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{12D0F389-49B0-14FD-6366-8D8847FA113C}
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{8C02E350-7BDC-9E27-6580-DFB269B48306}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{7AC8F90B-91BD-BC59-EB4E-55B04F6259E4}
            Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{B25D8827-69A1-B4FB-8306-AD28679A31DC}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{5A5F11C7-F1A6-9C73-4B2E-B590AF42B9C4}
            Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{823E5B52-F9EB-0425-93D6-3D78776AC12C}
            Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\EA2A.binJump to behavior
            Source: Capasw32.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\control.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Capasw32.dll',DllRegisterServer
            Source: Capasw32.dllVirustotal: Detection: 48%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Capasw32.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Capasw32.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Capasw32.dll,Bonewomen
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Capasw32.dll,Noteduck
            Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Authtenc\atmftstr.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\CBA0.bi1'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
            Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\CBA0.bi1'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\Capasw32.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Capasw32.dll,BonewomenJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Capasw32.dll,NoteduckJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Authtenc\atmftstr.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\CBA0.bi1'Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\CBA0.bi1'Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: C:\Windows\System32\control.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\System32\rundll32.exeAutomated click: OK
            Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dllJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Capasw32.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Capasw32.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.964725192.000000000D5B0000.00000002.00000001.sdmp
            Source: Binary string: c:\score\have\glass\Though\Country\branch\Division\String\Greatthousand.pdb source: rundll32.exe, Capasw32.dll
            Source: Binary string: ntdll.pdb source: rundll32.exe, 00000001.00000003.906829210.0000000004C10000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: explorer.exe, 0000000C.00000003.1091492443.0000000006760000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000001.00000003.906829210.0000000004C10000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdb source: control.exe, 0000000B.00000002.979233556.000001BF4F8DC000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: explorer.exe, 0000000C.00000003.1091492443.0000000006760000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000000B.00000002.979233556.000001BF4F8DC000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.964725192.000000000D5B0000.00000002.00000001.sdmp

            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41A6D LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,1_2_00C41A6D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C456B7 push ecx; ret 1_2_00C456C7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C45670 push ecx; ret 1_2_00C45679
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F1DC7 push eax; ret 1_2_6D1F1DCD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F0450 push edx; retn 0000h1_2_6D1F04C3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F0499 push edx; retn 0000h1_2_6D1F04C3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EFFEB push ecx; retf 1_2_6D1EFFF8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EF667 push ecx; ret 1_2_6D1EF66A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1ED110 push eax; ret 1_2_6D1ED113
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F09FB push esi; iretd 1_2_6D1F0A12
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F285B pushad ; iretd 1_2_6D1F285C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20D875 push ecx; ret 1_2_6D20D888
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F08E6 push esi; ret 1_2_6D1F0902
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1F235B push edx; ret 1_2_6D1F235C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EDB51 push ebx; ret 1_2_6D1EDB5E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EDBA1 push ebx; ret 1_2_6D1EDB5E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EF3FE push ebp; retf 1_2_6D1EF414
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EEA77 push edi; iretd 1_2_6D1EEA81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D1EE2DC push edi; ret 1_2_6D1EE2E0
            Source: initial sampleStatic PE information: section name: .text entropy: 7.1782013521

            Boot Survival:

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeWindow found: window name: ProgManJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.976174203.000001DDC5EF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.976935491.000000000076F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1027234551.000002459B11F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4380, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3524, type: MEMORY
            Hooks registry keys query functions (used to hide registry keys)Show sources
            Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
            Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
            Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFEE02F521C
            Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
            Source: explorer.exeEAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFEE02F5200
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\4657FA74-ED45-68EE-A7DA-711CCBAE3510Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\4657FA74-ED45-68EE-A7DA-711CCBAE3510 Client32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_1-9262
            Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-9225
            Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-9274
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41C28 CreateFileA,GetFileTime,FindCloseChangeNotification,LdrInitializeThunk,StrRChrA,KiUserExceptionDispatcher,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00C41C28
            Source: explorer.exe, 0000000C.00000000.958854735.0000000007F90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000000.991883870.0000021B27C90000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.1029223899.000002459D100000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 0000000C.00000000.958854735.0000000007F90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000000.991883870.0000021B27C90000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.1029223899.000002459D100000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 0000000C.00000000.958854735.0000000007F90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000000.991883870.0000021B27C90000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.1029223899.000002459D100000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 0000000C.00000000.958854735.0000000007F90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000000.991883870.0000021B27C90000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.1029223899.000002459D100000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information queried: ProcessInformationJump to behavior

            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C424C2 LdrInitializeThunk,RtlEnterCriticalSection,VirtualProtect,GetLastError,RtlLeaveCriticalSection,1_2_00C424C2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D210FBE _memset,IsDebuggerPresent,1_2_6D210FBE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D2137D4 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,1_2_6D2137D4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C41A6D LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,1_2_00C41A6D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D250F0D mov eax, dword ptr fs:[00000030h]1_2_6D250F0D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D250E43 mov eax, dword ptr fs:[00000030h]1_2_6D250E43
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D250A4D push dword ptr fs:[00000030h]1_2_6D250A4D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20EA03 GetProcessHeap,1_2_6D20EA03
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C44808 LdrInitializeThunk,LdrInitializeThunk,RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,1_2_00C44808
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20F4F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6D20F4F9

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 7F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: F80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 1DDC5D80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F4E8FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E9815E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 21B273A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 2459AE40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 2440000 protect: page execute and read and writeJump to behavior
            Changes memory attributes in foreign processes to executable or writableShow sources
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFEE2151460 protect: page execute readJump to behavior
            Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute readJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute readJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute readJump to behavior
            Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460 protect: page execute and read and writeJump to behavior
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: E2151460Jump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: E2151460Jump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: E2151460Jump to behavior
            Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: E2151460Jump to behavior
            Injects code into the Windows Explorer (explorer.exe)Show sources
            Source: C:\Windows\System32\control.exeMemory written: PID: 2928 base: 7FFEE2151460 value: EBJump to behavior
            Source: C:\Windows\System32\control.exeMemory written: PID: 2928 base: F80000 value: 60Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: PID: 2928 base: 7FFEE2151460 value: 40Jump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 5988Jump to behavior
            Source: C:\Windows\System32\control.exeThread register set: target process: 2928Jump to behavior
            Source: C:\Windows\System32\control.exeThread register set: target process: 5372Jump to behavior
            Source: C:\Windows\explorer.exeThread register set: target process: 3524Jump to behavior
            Source: C:\Windows\explorer.exeThread register set: target process: 3668Jump to behavior
            Source: C:\Windows\explorer.exeThread register set: target process: 4032Jump to behavior
            Source: C:\Windows\explorer.exeThread register set: target process: 4380Jump to behavior
            Source: C:\Windows\explorer.exeThread register set: target process: 4548Jump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7F0000Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: F80000Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF60FC15FD0Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 1DDC5D80000Jump to behavior
            Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF60FC15FD0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F4E8FC0000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1E9815E0000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 21B273A0000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFEE2151460Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF60FC15FD0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\rundll32.exe base: 2459AE40000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF60FC15FD0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 266FC0Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 2440000Jump to behavior
            Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 266FC0Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
            Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com Jump to behavior
            Source: explorer.exe, 0000000C.00000000.937689923.00000000011C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000000.976196306.000001F4E9590000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000000.984079361.000001E981B90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1200876711.0000021B25F90000.00000002.00000001.sdmp, 01D64AC00198B5880B.12.drBinary or memory string: Program Manager
            Source: explorer.exe, 0000000C.00000000.937689923.00000000011C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000000.976196306.000001F4E9590000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000000.984079361.000001E981B90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1200876711.0000021B25F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000C.00000000.937689923.00000000011C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000000.976196306.000001F4E9590000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000000.984079361.000001E981B90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1200876711.0000021B25F90000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000C.00000000.937689923.00000000011C0000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000D.00000000.976196306.000001F4E9590000.00000002.00000001.sdmp, RuntimeBroker.exe, 0000000F.00000000.984079361.000001E981B90000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000010.00000002.1200876711.0000021B25F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000000C.00000000.936885927.0000000000BC0000.00000004.00000020.sdmpBinary or memory string: Progman9

            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6D20D1BC cpuid 1_2_6D20D1BC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C44EBC GetCurrentThreadId,GetSystemTimeAsFileTime,GetTempFileNameA,PathFindExtensionA,lstrcpy,1_2_00C44EBC
            Source: C:\Windows\System32\control.exeCode function: 11_2_0073E6D8 CreateMutexExA,GetUserNameA,11_2_0073E6D8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00C4536F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_00C4536F

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Overwrites Mozilla Firefox settingsShow sources
            Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\prefs.jsJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.976174203.000001DDC5EF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.976935491.000000000076F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1027234551.000002459B11F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4380, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3524, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\prefs.jsJump to behavior
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
            Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 0000000E.00000002.977550763.000001DDC610F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000003.976174203.000001DDC5EF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.1206095370.000001F4EBC5F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000003.929317301.000001BF4D7E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000003.1016966922.000002459AEE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.1205252599.0000021B27E0F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.976935491.000000000076F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.1204417103.000001E9837FF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.1027234551.000002459B11F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4380, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: control.exe PID: 5988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3668, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4032, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3524, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsRundll321Hooking3Hooking3Software Packing2Credential Dumping1System Time Discovery1Application Deployment SoftwareMan in the Browser1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable MediaExecution through API3Port MonitorsProcess Injection712Rundll321Hooking3Account Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            External Remote ServicesGraphical User Interface2Accessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery131Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingRootkit4Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedConnection Proxy1SIM Card SwapPremium SMS Toll Fraud
            Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationSystem Information Discovery14Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceModify Registry1Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
            Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection712Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessConnection Proxy1Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
            Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainSystem Network Configuration Discovery2Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet