Loading ...

Play interactive tourEdit tour

Analysis Report 1wEmwERX3E

Overview

General Information

Sample Name:1wEmwERX3E (renamed file extension from none to dll)
Analysis ID:315954
MD5:fe590fd117449bce4bfad57d36bfc099
SHA1:a5c3d7738ebc1f1ce8353e135b8dcea17155077b
SHA256:be294b6faca17e762d1722ea1e447a3ad3a57b4c110cfe8ff515e3d2047c5ad2
Tags:OOOIstoksigned

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 7128 cmdline: loaddll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll' MD5: 62442CB29236B024E992A556DA72B97A)
    • rundll32.exe (PID: 7136 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7144 cmdline: rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Max2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4240 cmdline: rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Min1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cmd.exe (PID: 6320 cmdline: 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\1wEmwERX3E.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • timeout.exe (PID: 4200 cmdline: timeout /t 5 MD5: EB9A65078396FB5D4E3813BB9198CB18)
  • cmd.exe (PID: 4672 cmdline: 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\1wEmwERX3E.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • timeout.exe (PID: 4868 cmdline: timeout /t 5 MD5: EB9A65078396FB5D4E3813BB9198CB18)
  • iexplore.exe (PID: 5840 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5700 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6000 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6256 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6000 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1072 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5788 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1072 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6788 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6928 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5868 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.657264088.0000000006640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.657444951.0000000006640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.657424963.0000000006640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000002.680460692.0000000007710000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 34 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 1wEmwERX3E.dllVirustotal: Detection: 22%Perma Link
            Source: 1wEmwERX3E.dllReversingLabs: Detection: 18%
            Source: 1wEmwERX3E.dllVirustotal: Detection: 22%Perma Link
            Source: 1wEmwERX3E.dllReversingLabs: Detection: 18%
            Source: 2.2.rundll32.exe.a70000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.rundll32.exe.4ff0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 7.2.rundll32.exe.1f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 2.2.rundll32.exe.a70000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.rundll32.exe.4ff0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 7.2.rundll32.exe.1f0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: msapplication.xml0.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3a67e3cf,0x01d6b9a8</date><accdate>0x3a67e3cf,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3a67e3cf,0x01d6b9a8</date><accdate>0x3a67e3cf,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3a6ca86e,0x01d6b9a8</date><accdate>0x3a6ca86e,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3a6ca86e,0x01d6b9a8</date><accdate>0x3a6ca86e,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3a6f0ad3,0x01d6b9a8</date><accdate>0x3a6f0ad3,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3a6f0ad3,0x01d6b9a8</date><accdate>0x3a6f0ad3,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml0.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3a67e3cf,0x01d6b9a8</date><accdate>0x3a67e3cf,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x3a67e3cf,0x01d6b9a8</date><accdate>0x3a67e3cf,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3a6ca86e,0x01d6b9a8</date><accdate>0x3a6ca86e,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x3a6ca86e,0x01d6b9a8</date><accdate>0x3a6ca86e,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3a6f0ad3,0x01d6b9a8</date><accdate>0x3a6f0ad3,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.12.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x3a6f0ad3,0x01d6b9a8</date><accdate>0x3a6f0ad3,0x01d6b9a8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: bonderlas.xyz
            Source: unknownDNS traffic detected: queries for: bonderlas.xyz
            Source: rundll32.exe, 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmp, rundll32.exe, 00000002.00000002.680460692.0000000007710000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.672676654.0000000007110000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: 1wEmwERX3E.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 1wEmwERX3E.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: 1wEmwERX3E.dllString found in binary or memory: http://ocsp.sectigo.com0#
            Source: msapplication.xml.12.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.12.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.12.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.12.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.12.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.12.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.12.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.12.drString found in binary or memory: http://www.youtube.com/
            Source: rundll32.exe, rundll32.exe, 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyz
            Source: imagestore.dat.35.drString found in binary or memory: https://bonderlas.xyz/favicon.ico
            Source: ~DF6D83FDB61123CE65.TMP.12.drString found in binary or memory: https://bonderlas.xyz/index.htm
            Source: {A343DEBE-259B-11EB-90EB-ECF4BBEA1588}.dat.35.drString found in binary or memory: https://bonderlas.xyz/index.htmRoot
            Source: {A343DEBE-259B-11EB-90EB-ECF4BBEA1588}.dat.35.drString found in binary or memory: https://bonderlas.xyz/index.htmindex.htm
            Source: rundll32.exe, 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyzf
            Source: 1wEmwERX3E.dllString found in binary or memory: https://sectigo.com/CPS0
            Source: rundll32.exe, 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmp, rundll32.exe, 00000002.00000002.680460692.0000000007710000.00000004.00000040.sdmp, rundll32.exe, 00000007.00000002.672676654.0000000007110000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: 1wEmwERX3E.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: 1wEmwERX3E.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: 1wEmwERX3E.dllString found in binary or memory: http://ocsp.sectigo.com0#
            Source: msapplication.xml.12.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.12.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.12.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.12.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.12.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.12.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.12.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.12.drString found in binary or memory: http://www.youtube.com/
            Source: rundll32.exe, rundll32.exe, 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyz
            Source: imagestore.dat.35.drString found in binary or memory: https://bonderlas.xyz/favicon.ico
            Source: ~DF6D83FDB61123CE65.TMP.12.drString found in binary or memory: https://bonderlas.xyz/index.htm
            Source: {A343DEBE-259B-11EB-90EB-ECF4BBEA1588}.dat.35.drString found in binary or memory: https://bonderlas.xyz/index.htmRoot
            Source: {A343DEBE-259B-11EB-90EB-ECF4BBEA1588}.dat.35.drString found in binary or memory: https://bonderlas.xyz/index.htmindex.htm
            Source: rundll32.exe, 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmpString found in binary or memory: https://bonderlas.xyzf
            Source: 1wEmwERX3E.dllString found in binary or memory: https://sectigo.com/CPS0
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657264088.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657444951.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657424963.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.680460692.0000000007710000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656126339.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657326145.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.672676654.0000000007110000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657393953.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.655859083.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657041091.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657095508.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656603808.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657225417.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657187209.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656469546.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656671643.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657352227.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656022068.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.655609394.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657436767.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656736720.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657374511.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656923400.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656858028.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656799181.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656211057.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.919305599.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657410841.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.866536975.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656538142.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657298674.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656980298.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656381567.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656299677.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657149386.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7144, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7136, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.667477266.0000000000ADB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: loaddll32.exe, 00000000.00000002.667477266.0000000000ADB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657264088.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657444951.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657424963.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.680460692.0000000007710000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656126339.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657326145.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.672676654.0000000007110000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657393953.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.655859083.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657041091.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657095508.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656603808.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657225417.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657187209.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656469546.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656671643.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657352227.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656022068.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.655609394.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657436767.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656736720.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657374511.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656923400.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656858028.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656799181.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656211057.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.919305599.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657410841.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.866536975.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656538142.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657298674.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656980298.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656381567.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656299677.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657149386.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7144, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7136, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC4DF0 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,2_2_00BC4DF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC1757 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle,2_2_00BC1757
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCAC53 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,2_2_00BCAC53
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC6101 RtlNtStatusToDosError,NtClose,2_2_00BC6101
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC4DF0 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,2_2_00BC4DF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC1757 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle,2_2_00BC1757
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCAC53 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,2_2_00BCAC53
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC6101 RtlNtStatusToDosError,NtClose,2_2_00BC6101
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCC4902_2_00BCC490
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCB8DC2_2_00BCB8DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCC4902_2_00BCC490
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCB8DC2_2_00BCB8DC
            Source: 1wEmwERX3E.dllStatic PE information: invalid certificate
            Source: 1wEmwERX3E.dllStatic PE information: invalid certificate
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal68.troj.evad.winDLL@30/69@7/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63F6FC33-259B-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{63F6FC33-259B-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_01
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5A243F55043841AA.TMPJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5A243F55043841AA.TMPJump to behavior
            Source: 1wEmwERX3E.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 1wEmwERX3E.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServer
            Source: 1wEmwERX3E.dllVirustotal: Detection: 22%
            Source: 1wEmwERX3E.dllReversingLabs: Detection: 18%
            Source: 1wEmwERX3E.dllVirustotal: Detection: 22%
            Source: 1wEmwERX3E.dllReversingLabs: Detection: 18%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Max2
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\1wEmwERX3E.dll'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Min1
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\1wEmwERX3E.dll'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6000 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1072 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Max2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Min1Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6000 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1072 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Max2
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\1wEmwERX3E.dll'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Min1
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\1wEmwERX3E.dll'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6000 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1072 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\1wEmwERX3E.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Max2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1wEmwERX3E.dll,Min1Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6000 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1072 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6788 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: crusoe.pdb source: 1wEmwERX3E.dll
            Source: Binary string: wSTATUS_ILL_FORMED_PASSWORDEV_MMAC_TX_SCHED_ACK_MPDU_READY16- High Carrier Ability at 3000 : %dkernel32crusoe.pdbMsi.dllMsiGetComponentStateASetting vmnet-dhcp IP address: %sSetMenuruntime error source: 1wEmwERX3E.dll
            Source: Binary string: crusoe.pdb source: 1wEmwERX3E.dll
            Source: Binary string: wSTATUS_ILL_FORMED_PASSWORDEV_MMAC_TX_SCHED_ACK_MPDU_READY16- High Carrier Ability at 3000 : %dkernel32crusoe.pdbMsi.dllMsiGetComponentStateASetting vmnet-dhcp IP address: %sSetMenuruntime error source: 1wEmwERX3E.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_066419E9 push ecx; retf 1_3_066419FF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_3_06641A3F push edx; iretd 1_3_06641A78

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657264088.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657444951.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657424963.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.680460692.0000000007710000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656126339.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657326145.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.672676654.0000000007110000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657393953.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.655859083.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657041091.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657095508.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656603808.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657225417.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657187209.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656469546.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656671643.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657352227.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656022068.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.655609394.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657436767.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656736720.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657374511.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656923400.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656858028.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656799181.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656211057.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.919305599.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657410841.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.866536975.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656538142.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657298674.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656980298.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656381567.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.656299677.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657149386.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7144, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4240, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7136, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\timeout.exe TID: 4168Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Windows\System32\timeout.exe TID: 4564Thread sleep count: 44 > 30Jump to behavior
            Source: C:\Windows\System32\timeout.exe TID: 4168Thread sleep count: 36 > 30Jump to behavior
            Source: C:\Windows\System32\timeout.exe TID: 4564Thread sleep count: 44 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: 1wEmwERX3E.dllBinary or memory string: Setting vmnet-dhcp IP address: %s
            Source: 1wEmwERX3E.dllBinary or memory string: wSTATUS_ILL_FORMED_PASSWORDEV_MMAC_TX_SCHED_ACK_MPDU_READY16- High Carrier Ability at 3000 : %dkernel32crusoe.pdbMsi.dllMsiGetComponentStateASetting vmnet-dhcp IP address: %sSetMenuruntime error
            Source: 1wEmwERX3E.dllBinary or memory string: Setting vmnet-dhcp IP address: %s
            Source: 1wEmwERX3E.dllBinary or memory string: wSTATUS_ILL_FORMED_PASSWORDEV_MMAC_TX_SCHED_ACK_MPDU_READY16- High Carrier Ability at 3000 : %dkernel32crusoe.pdbMsi.dllMsiGetComponentStateASetting vmnet-dhcp IP address: %sSetMenuruntime error
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001D0940 mov eax, dword ptr fs:[00000030h]7_2_001D0940
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001D0940 mov eax, dword ptr fs:[00000030h]7_2_001D0940

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.140.147.167 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.140.147.167 187Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000001.00000002.918427163.0000000003830000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC8CF4 cpuid 2_2_00BC8CF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC8CF4 cpuid 2_2_00BC8CF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,2_2_00BC340B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,2_2_00BC340B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC7FAD memset,RtlInitializeCriticalSection,GetCurrentProcessId,OpenProcess,GetSystemTimeAsFileTime,2_2_00BC7FAD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BC7FAD memset,RtlInitializeCriticalSection,GetCurrentProcessId,OpenProcess,GetSystemTimeAsFileTime,2_2_00BC7FAD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCA06E CreateMutexW,GetLastError,CloseHandle,GetLastError,GetVersionExA,GetModuleHandleA,RtlImageNtHeader,CloseHandle,2_2_00BCA06E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00BCA06E CreateMutexW,GetLastError,CloseHandle,GetLastError,GetVersionExA,GetModuleHandleA,RtlImageNtHeader,CloseHandle,2_2_00BCA06E
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.655739416.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657264088.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657444951.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.657424963.0000000006640000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.680460692.0000000007710000.00000004.000