Loading ...

Play interactive tourEdit tour

Analysis Report ioir.png.dll

Overview

General Information

Sample Name:ioir.png.dll
Analysis ID:349160
MD5:d31c0491f522d6b9f2102109bd2420af
SHA1:dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
SHA256:f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
Tags:isfbv3ursnif

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to detect sleep reduction / modifications
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6480 cmdline: loaddll32.exe 'C:\Users\user\Desktop\ioir.png.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)
    • rundll32.exe (PID: 3848 cmdline: rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 744 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • iexplore.exe (PID: 6588 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6748 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6952 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 31 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: ioir.png.dllVirustotal: Detection: 42%Perma Link
            Source: ioir.png.dllReversingLabs: Detection: 41%
            Source: 0.2.loaddll32.exe.22d0174.3.unpackAvira: Label: TR/Kazy.4159236
            Source: 1.2.rundll32.exe.3540000.5.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.rundll32.exe.3530174.4.unpackAvira: Label: TR/Kazy.4159236
            Source: 0.2.loaddll32.exe.2430000.4.unpackAvira: Label: TR/Patched.Ren.Gen

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: ioir.png.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49777 version: TLS 1.2
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: powrprof.pdbF source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.652704445.0000000004CEB000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: riched20.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb@ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb. source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: winspool.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb< source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: usp10.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: riched32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: version.pdb2 source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: msls31.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00404FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00404FF4
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: msapplication.xml0.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x19bc77f4,0x01d6fbc9</date><accdate>0x19bc77f4,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x19bc77f4,0x01d6fbc9</date><accdate>0x19bc77f4,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x19c13ca7,0x01d6fbc9</date><accdate>0x19c13ca7,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x19c13ca7,0x01d6fbc9</date><accdate>0x19c13ca7,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x19c39f10,0x01d6fbc9</date><accdate>0x19c39f10,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x19c39f10,0x01d6fbc9</date><accdate>0x19c39f10,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: topitophug.xyz
            Source: loaddll32.exe, 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, rundll32.exe, 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: msapplication.xml.8.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.8.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.8.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.8.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.8.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.8.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.8.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.8.drString found in binary or memory: http://www.youtube.com/
            Source: loaddll32.exeString found in binary or memory: https://topitophug.xyz
            Source: loaddll32.exe, 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, ~DFF728301785477207.TMP.8.drString found in binary or memory: https://topitophug.xyz/index.htm
            Source: {FC8A972A-67BB-11EB-90EB-ECF4BBEA1588}.dat.8.drString found in binary or memory: https://topitophug.xyz/index.htm/index.htm
            Source: {FC8A972A-67BB-11EB-90EB-ECF4BBEA1588}.dat.8.drString found in binary or memory: https://topitophug.xyz/index.htmRoot
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49777 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0040682E OpenClipboard,1_2_0040682E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00420958 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,1_2_00420958
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00420F9C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,1_2_00420F9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00452C8C GetKeyboardState,1_2_00452C8C
            Source: C:\Windows\System32\loaddll32.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00455C08 NtdllDefWindowProc_A,GetCapture,1_2_00455C08
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00442040 NtdllDefWindowProc_A,1_2_00442040
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004427E8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_004427E8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00442898 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00442898
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00429150 NtdllDefWindowProc_A,1_2_00429150
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0044B7E0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0044B7E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_03552415 NtQueryVirtualMemory,1_2_03552415
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035A1757 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle,1_2_035A1757
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035A4DF0 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,1_2_035A4DF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035A6101 RtlNtStatusToDosError,NtClose,1_2_035A6101
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035AAC53 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,1_2_035AAC53
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0043C5381_2_0043C538
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0044B7E01_2_0044B7E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035521F41_2_035521F4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035317681_2_03531768
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_03531D741_2_03531D74
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035AB8DC1_2_035AB8DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035AC4901_2_035AC490
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 004060A8 appears 61 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 00403F1C appears 71 times
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 744
            Source: ioir.png.dllStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
            Source: ioir.png.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
            Source: classification engineClassification label: mal68.troj.evad.winDLL@9/19@2/1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041DCB4 GetLastError,FormatMessageA,1_2_0041DCB4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00408632 GetDiskFreeSpaceA,1_2_00408632
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00413784 FindResourceA,1_2_00413784
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC8A9728-67BB-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3848
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3C4.tmpJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1
            Source: ioir.png.dllVirustotal: Detection: 42%
            Source: ioir.png.dllReversingLabs: Detection: 41%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ioir.png.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1
            Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 744
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: powrprof.pdbF source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.652704445.0000000004CEB000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: riched20.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb@ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb. source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: winspool.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb< source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: usp10.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: riched32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: version.pdb2 source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: msls31.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00426E24
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0045D200 push 0045D28Dh; ret 1_2_0045D285
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00444114 push 0044416Eh; ret 1_2_00444166
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0044C294 push 0044C2FFh; ret 1_2_0044C2F7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0042435C push 00424388h; ret 1_2_00424380
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004243AC push 004243D8h; ret 1_2_004243D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00424664 push 00424690h; ret 1_2_00424688
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00410696 push 0041070Eh; ret 1_2_00410706
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00410698 push 0041070Eh; ret 1_2_00410706
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0042675C push 00426794h; ret 1_2_0042678C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00424760 push 0042478Ch; ret 1_2_00424784
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00410710 push 004107B8h; ret 1_2_004107B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00424798 push 004247C4h; ret 1_2_004247BC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041A7B2 push 0041A85Fh; ret 1_2_0041A857
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041A7B4 push 0041A85Fh; ret 1_2_0041A857
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004107BA push 00410900h; ret 1_2_004108F8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041A864 push 0041A8F4h; ret 1_2_0041A8EC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004108D4 push 00410900h; ret 1_2_004108F8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041A8F6 push 0041ABFCh; ret 1_2_0041ABF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00430954 push 004309CAh; ret 1_2_004309C2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00412A4C push ecx; mov dword ptr [esp], edx1_2_00412A51
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00406A60 push ecx; mov dword ptr [esp], eax1_2_00406A61
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00452A2C push ecx; mov dword ptr [esp], ecx1_2_00452A30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00426A80 push 00426AACh; ret 1_2_00426AA4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041ABD0 push 0041ABFCh; ret 1_2_0041ABF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0040CBD4 push ecx; mov dword ptr [esp], edx1_2_0040CBD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00436BB0 push 00436C25h; ret 1_2_00436C1D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00406C44 push 00406C70h; ret 1_2_00406C68
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00412C74 push ecx; mov dword ptr [esp], edx1_2_00412C79
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00406C7C push 00406CA8h; ret 1_2_00406CA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00436C28 push 00436C81h; ret 1_2_00436C79
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00426C2C push 00426C58h; ret 1_2_00426C50

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004420C8 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_004420C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00458504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00458504
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_004427E8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_004427E8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00442898 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_00442898
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0043F0F0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0043F0F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0045732C IsIconic,GetCapture,1_2_0045732C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00457BE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00457BE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00423E14 IsIconic,GetWindowPlacement,GetWindowRect,1_2_00423E14
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00426E24
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect sleep reduction / modificationsShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00436AB01_2_00436AB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,1_2_00441638
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00436AB01_2_00436AB0
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00404FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00404FF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0041E244 GetSystemInfo,1_2_0041E244
            Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: WerFault.exe, 00000004.00000002.668258285.0000000004CF0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: WerFault.exe, 00000004.00000002.668258285.0000000004CF0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW)
            Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035A193B StrTrimA,lstrlen,wsprintfA,LdrInitializeThunk,LdrInitializeThunk,1_2_035A193B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00426E24
            Source: C:\Windows\System32\loaddll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guardJump to behavior
            Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_035A212D cpuid 1_2_035A212D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_004051AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetACP,1_2_0040C420
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,1_2_0040AE34
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,1_2_0040AE80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,1_2_004052B8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,1_2_00405AA2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,1_2_00405AA4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,1_2_035A340B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00409934 GetLocalTime,1_2_00409934
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_0045D200 GetVersion,1_2_0045D200
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY

            Remote Access Functionality: