Loading ...

Play interactive tourEdit tour

Analysis Report 5f69b0667976ftar

Overview

General Information

Sample Name:5f69b0667976ftar (renamed file extension from none to dll)
Analysis ID:288485
MD5:b3174c5e64fa5ba368a5b66c234c92a7
SHA1:1769658f4e98144b07af62fee907540cbe56e3ac
SHA256:7b8c91665d7a96b5f38a4bb8b81796ec80df1c281c65da378c4df82912671e25
Tags:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Creates a COM Internet Explorer object
Writes registry values via WMI
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6808 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5f69b0667976ftar.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
    • rundll32.exe (PID: 6816 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\5f69b0667976ftar.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6824 cmdline: rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,Fullelectric MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6860 cmdline: rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,Gladnow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6880 cmdline: rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,Paintreceive MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 1480 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5128 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1480 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250154", "uptime": "199Explorer\\Mainh", "crc": "1", "id": "4343", "user": "4229768108f8d2d8cdc8873adc33689e", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.439843907.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.439714014.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.439807374.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.439859126.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.439772948.00000000053C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: rundll32.exe.6816.1.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250154", "uptime": "199Explorer\\Mainh", "crc": "1", "id": "4343", "user": "4229768108f8d2d8cdc8873adc33689e", "soft": "3"}
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA1B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_02FA1B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD4DBD0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,1_2_6DD4DBD0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00921B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_00921B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04861B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_04861B81

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: fr-ch[1].htm.21.drString found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/85288795/coreui.statics/images/social/facebook.png" alt="Facebook"> equals www.facebook.com (Facebook)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/93690392/coreui.statics/images/social/twitter.png" alt="Twitter"> equals www.twitter.com (Twitter)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/b23f9ba2/coreui.statics/images/social/linkedin.png" alt="LinkedIn"> equals www.linkedin.com (Linkedin)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2532198d/coreui.statics/images/social/facebook.svg"> equals www.facebook.com (Facebook)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/413bd4a8/coreui.statics/images/social/linkedin.svg"> equals www.linkedin.com (Linkedin)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/6f40299c/coreui.statics/images/social/twitter.svg"> equals www.twitter.com (Twitter)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <a data-m='{"id":"n1m1r5a2","sN":1,"aN":"m1r5a2"}' itemprop="sameAs" href="https://www.facebook.com/Microsoft" title="Suivre Microsoft sur Facebook (s equals www.facebook.com (Facebook)
            Source: fr-ch[1].htm.21.drString found in binary or memory: <a data-m='{"id":"n3m1r5a2","sN":3,"aN":"m1r5a2"}' itemprop="sameAs" href="https://www.linkedin.com/company/1035" title="Suivre Microsoft sur LinkedIn (s equals www.linkedin.com (Linkedin)
            Source: unknownDNS traffic detected: queries for: www.microsoftstore.com
            Source: fr-ch[1].htm.21.drString found in binary or memory: http://github.com/aFarkas/lazysizes
            Source: fr-ch[1].htm.21.drString found in binary or memory: http://github.com/requirejs/domReady
            Source: fr-ch[1].htm.21.drString found in binary or memory: http://github.com/requirejs/requirejs/LICENSE
            Source: 67-bf2297[1].css.21.drString found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1LLAb
            Source: fr-ch[1].htm.21.drString found in binary or memory: http://schema.org/Organization
            Source: social[1].js.21.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://assets.onestore.ms
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://channel9.msdn.com/
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ALRT?ver=8bde&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4CFyx?ver=25c5&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DfTp?ver=8993&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FfQ0?ver=bdc0&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FoIr?ver=1c0c&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4dUlg?ver=c684&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pSiu?ver=0f95&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pkvE?ver=d8fc&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pndL?ver=5217&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pxBu?ver=eae5&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rriw?ver=b2d5&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rvYV?ver=b9c8&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rzs9?ver=5f61&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQDc?ver=30c2&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tj4A?ver=592d&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zwiW?ver=3b6d&amp;q=
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://mem.gfx.ms
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=MSHomePage&amp;market=fr-ch&amp;uhf=1
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://microsoftwindows.112.2o7.net
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://onedrive.live.com/about/fr-ch/
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://outlook.live.com/owa/
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://products.office.com/fr-ch/academic/compare-office-365-education-plans
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://schema.org/ItemList
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://twitter.com/microsoft_ch
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://ussearchprod.trafficmanager.net/services/api/v1.0/store/categories
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://www.instagram.com/microsoftch/
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://www.linkedin.com/company/1035
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://www.onenote.com/?omkt=fr-FR
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://www.skype.com/fr/
            Source: fr-ch[1].htm.21.drString found in binary or memory: https://www.xbox.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.439843907.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439714014.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439807374.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439859126.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439772948.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439577459.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439521494.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439661298.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6816, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.439843907.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439714014.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439807374.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439859126.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439772948.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439577459.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439521494.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439661298.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6816, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD01AE6 GetProcAddress,NtCreateSection,memset,1_2_6DD01AE6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD0218C NtMapViewOfSection,1_2_6DD0218C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD02685 NtQueryVirtualMemory,1_2_6DD02685
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA1AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_02FA1AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FAB0BD NtQueryVirtualMemory,1_2_02FAB0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00921AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_00921AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0092B0BD NtQueryVirtualMemory,3_2_0092B0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04861AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04861AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0486B0BD NtQueryVirtualMemory,4_2_0486B0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD024641_2_6DD02464
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FAAE9C1_2_02FAAE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA94211_2_02FA9421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD275801_2_6DD27580
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD570B01_2_6DD570B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0092AE9C3_2_0092AE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_009294213_2_00929421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0486AE9C4_2_0486AE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048694214_2_04869421
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal64.bank.troj.winDLL@12/37@5/0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA7790 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_02FA7790
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF2DB21D697E3B291C.TMPJump to behavior
            Source: 5f69b0667976ftar.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\5f69b0667976ftar.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5f69b0667976ftar.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\5f69b0667976ftar.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,Fullelectric
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,Gladnow
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,Paintreceive
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1480 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\5f69b0667976ftar.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,FullelectricJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,GladnowJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5f69b0667976ftar.dll,PaintreceiveJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1480 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 5f69b0667976ftar.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: 5f69b0667976ftar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: d:\3\12\38\Expect\83\Agree\End\4\hill\men\41\why.pdb source: rundll32.exe, 00000001.00000002.475604272.000000006DD60000.00000002.00020000.sdmp, 5f69b0667976ftar.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD02453 push ecx; ret 1_2_6DD02463
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD02400 push ecx; ret 1_2_6DD02409
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FAAAD0 push ecx; ret 1_2_02FAAAD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FAAE8B push ecx; ret 1_2_02FAAE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7E906 push ebx; iretd 1_2_6DD7E907
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7F40B pushad ; retf 1_2_6DD7F40C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7EEC8 push 39060D43h; retf 1_2_6DD7EEF2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0092AE8B push ecx; ret 3_2_0092AE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0092AAD0 push ecx; ret 3_2_0092AAD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0486AE8B push ecx; ret 4_2_0486AE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0486AAD0 push ecx; ret 4_2_0486AAD9

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.439843907.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439714014.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439807374.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439859126.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439772948.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439577459.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439521494.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439661298.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6816, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD27580 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_6DD27580
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA1B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_02FA1B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD4DBD0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,1_2_6DD4DBD0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00921B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_00921B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04861B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_04861B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD021E3 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetProcAddress,1_2_6DD021E3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD2D4F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6DD2D4F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD42A80 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,1_2_6DD42A80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD4D500 mov ecx, dword ptr fs:[00000030h]1_2_6DD4D500
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD4D460 mov ecx, dword ptr fs:[00000030h]1_2_6DD4D460
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD35430 mov eax, dword ptr fs:[00000030h]1_2_6DD35430
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD4D3C0 mov ecx, dword ptr fs:[00000030h]1_2_6DD4D3C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7CD6E mov eax, dword ptr fs:[00000030h]1_2_6DD7CD6E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7CCA4 mov eax, dword ptr fs:[00000030h]1_2_6DD7CCA4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7C8AE push dword ptr fs:[00000030h]1_2_6DD7C8AE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD018A7 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,1_2_6DD018A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD2D4F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6DD2D4F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD29110 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6DD29110
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD29260 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6DD29260
            Source: rundll32.exe, 00000001.00000002.472130302.0000000003350000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: rundll32.exe, 00000001.00000002.472130302.0000000003350000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000001.00000002.472130302.0000000003350000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000001.00000002.472130302.0000000003350000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA12A7 cpuid 1_2_02FA12A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD013AC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_6DD013AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_02FA12A7 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_02FA12A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD01CFD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_6DD01CFD

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.439843907.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439714014.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439807374.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439859126.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439772948.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439577459.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439521494.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439661298.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6816, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.439843907.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439714014.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439807374.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439859126.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439772948.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439577459.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439521494.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.439661298.00000000053C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6816, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Process Injection2LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Obfuscated Files or Information1Security Account ManagerSecurity Software Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 288485 Sample: 5f69b0667976ftar Startdate: 22/09/2020 Architecture: WINDOWS Score: 64 33 Found malware configuration 2->33 35 Yara detected  Ursnif 2->35 6 loaddll32.exe 1 2->6         started        8 iexplore.exe 7 60 2->8         started        process3 dnsIp4 11 rundll32.exe 6->11         started        14 rundll32.exe 6->14         started        16 rundll32.exe 6->16         started        18 rundll32.exe 6->18         started        27 microsoftwindows.112.2o7.net 8->27 29 mem.gfx.ms 8->29 31 assets.onestore.ms 8->31 20 iexplore.exe 65 8->20         started        process5 dnsIp6 37 Writes registry values via WMI 11->37 39 Creates a COM Internet Explorer object 11->39 23 www.microsoftstore.com 20->23 25 mem.gfx.ms 20->25 signatures7

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.