Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.18304

Overview

General Information

Sample Name:SecuriteInfo.com.Mal.EncPk-APW.3323.18304 (renamed file extension from 18304 to dll)
Analysis ID:382278
MD5:937e2c551368757c5e3c3598c41ea7d9
SHA1:599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256:cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6780 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6804 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6836 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6824 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.loaddll32.exe.13d0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          3.2.rundll32.exe.3220000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            2.2.rundll32.exe.a50000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Machine Learning detection for sampleShow sources
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllJoe Sandbox ML: detected
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

              E-Banking Fraud:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205A25
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0120150C
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01203A14
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01201B1E
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205262
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202566
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01201967
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202A69
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205378
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01203FAB
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202FAF
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012092B2
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012031B3
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012088BA
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012013C5
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01201CD0
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012027D4
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_012043D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A5F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A5378
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A5262
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A1967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A5A25
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A1B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A3A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A43D8
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A1CD0
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A27D4
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A13C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A88BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A92B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A31B3
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A3FAB
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03206A9C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202100
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0320150C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0320510C
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03203A14
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03205F16
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03201B1E
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202566
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03201967
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202A69
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03203574
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202FAF
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032092B2
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032088BA
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03204593
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032013C5
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03203DCD
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032027D4
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
              Source: classification engineClassification label: mal52.troj.winDLL@7/0@0/0
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
              Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dllStatic PE information: section name: .code
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], ebp
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
              Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01202A69 xor edi, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_007A2A69 xor edi, dword ptr fs:[00000030h]
              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_03202A69 xor edi, dword ptr fs:[00000030h]
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1

              Stealing of Sensitive Information:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected UrsnifShow sources
              Source: Yara matchFile source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 382278 Sample: SecuriteInfo.com.Mal.EncPk-... Startdate: 06/04/2021 Architecture: WINDOWS Score: 52 15 Yara detected  Ursnif 2->15 17 Machine Learning detection for sample 2->17 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.