Loading ...

Play interactive tourEdit tour

Analysis Report WoyEsA8v7H.dll

Overview

General Information

Sample Name:WoyEsA8v7H.dll
Analysis ID:432585
MD5:5a414b378a75f928594e1ddacccb40dc
SHA1:341a60d3181bf62aa8344f4544598f7e217c1b03
SHA256:0d4d60b0de26c90819f65b22796c1600e4942e95952c6cf19f2618b0461a441f
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5300 cmdline: loaddll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5284 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4968 cmdline: rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 5688 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5212 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 4872 cmdline: rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Connectdark MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2996 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 4228 cmdline: rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Mindlake MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5656 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4660 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 4012 cmdline: rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Porthigh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 2540 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5424 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 1968 cmdline: rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Problemscale MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6028 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6180 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 1532 cmdline: rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,WingGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5668 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6192 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2168 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6200 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
WoyEsA8v7H.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000016.00000002.570061995.000000006E1A1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000002.00000002.523416376.000000006E1A1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000015.00000002.590312640.000000006E1A1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          0000000D.00000002.552879000.000000006E1A1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            00000010.00000002.545510346.000000006E1A1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              Click to see the 1 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.loaddll32.exe.6e1a0000.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                2.2.rundll32.exe.6e1a0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  22.2.rundll32.exe.6e1a0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    21.2.rundll32.exe.6e1a0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                      16.2.rundll32.exe.6e1a0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                        Click to see the 1 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: WoyEsA8v7H.dllAvira: detected
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: WoyEsA8v7H.dllVirustotal: Detection: 57%Perma Link
                        Source: WoyEsA8v7H.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: WoyEsA8v7H.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.585832407.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.531209003.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.572048905.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.573441286.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.590367644.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.596415964.000000006E22A000.00000002.00020000.sdmp, WoyEsA8v7H.dll

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: WoyEsA8v7H.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000016.00000002.570061995.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.523416376.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.590312640.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.552879000.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.545510346.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.574510952.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE

                        E-Banking Fraud:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: WoyEsA8v7H.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000016.00000002.570061995.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.523416376.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.590312640.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.552879000.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.545510346.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.574510952.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E3E000_2_6E1E3E00
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2167D90_2_6E2167D9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E1C3C0_2_6E1E1C3C
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2084BB0_2_6E2084BB
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2202BC0_2_6E2202BC
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2103960_2_6E210396
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE0790_2_6E1FE079
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F51500_2_6E1F5150
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E3E002_2_6E1E3E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E1C3C2_2_6E1E1C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2167D92_2_6E2167D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2084BB2_2_6E2084BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2202BC2_2_6E2202BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2103962_2_6E210396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1FE0792_2_6E1FE079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1F51502_2_6E1F5150
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1E3E0022_2_6E1E3E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1E1C3C22_2_6E1E1C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E2167D922_2_6E2167D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E2084BB22_2_6E2084BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E2202BC22_2_6E2202BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E21039622_2_6E210396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1FE07922_2_6E1FE079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1F515022_2_6E1F5150
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1E0990 appears 32 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1E00AC appears 100 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1E0990 appears 68 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1E00E0 appears 58 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1E00AC appears 200 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E2023A9 appears 36 times
                        Source: WoyEsA8v7H.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: classification engineClassification label: mal64.troj.winDLL@54/0@0/0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1492:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1000:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4576:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
                        Source: WoyEsA8v7H.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Connectdark
                        Source: WoyEsA8v7H.dllVirustotal: Detection: 57%
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll'
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Connectdark
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Mindlake
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Porthigh
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,Problemscale
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,WingGrass
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,ConnectdarkJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,MindlakeJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,PorthighJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,ProblemscaleJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\WoyEsA8v7H.dll,WingGrassJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: WoyEsA8v7H.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: WoyEsA8v7H.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.585832407.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.531209003.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.572048905.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.573441286.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.590367644.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.596415964.000000006E22A000.00000002.00020000.sdmp, WoyEsA8v7H.dll
                        Source: WoyEsA8v7H.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: WoyEsA8v7H.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: WoyEsA8v7H.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: WoyEsA8v7H.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: WoyEsA8v7H.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: WoyEsA8v7H.dllStatic PE information: real checksum: 0xf3990 should be: 0xef6d5
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E0075 push ecx; ret 0_2_6E1E0088
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E09D6 push ecx; ret 0_2_6E1E09E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E09D6 push ecx; ret 2_2_6E1E09E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E0075 push ecx; ret 2_2_6E1E0088
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1E09D6 push ecx; ret 22_2_6E1E09E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1E0075 push ecx; ret 22_2_6E1E0088

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: WoyEsA8v7H.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000016.00000002.570061995.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.523416376.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.590312640.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.552879000.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.545510346.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.574510952.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E201F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E20966F mov eax, dword ptr fs:[00000030h]0_2_6E20966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E20966F mov eax, dword ptr fs:[00000030h]2_2_6E20966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E20966F mov eax, dword ptr fs:[00000030h]22_2_6E20966F
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E201F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1E07A7
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E1E0288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E201F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E1E07A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E1E0288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_6E201F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1E07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_6E1E07A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 22_2_6E1E0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_6E1E0288
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\WoyEsA8v7H.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: loaddll32.exe, 00000000.00000002.556995982.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.523374046.0000000003B80000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.599260061.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.535562022.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.529667252.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.590270593.00000000038C0000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.554215165.0000000003420000.00000002.00000001.sdmpBinary or memory string: Program Manager
                        Source: loaddll32.exe, 00000000.00000002.556995982.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.523374046.0000000003B80000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.599260061.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.535562022.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.529667252.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.590270593.00000000038C0000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.554215165.0000000003420000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: loaddll32.exe, 00000000.00000002.556995982.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.523374046.0000000003B80000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.599260061.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.535562022.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.529667252.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.590270593.00000000038C0000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.554215165.0000000003420000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: loaddll32.exe, 00000000.00000002.556995982.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.523374046.0000000003B80000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.599260061.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.535562022.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.529667252.0000000003290000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.590270593.00000000038C0000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.554215165.0000000003420000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E0604 cpuid 0_2_6E1E0604
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E21E61F
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6E21E6EC
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E21DF65
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E21E518
                        Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6E21DD96
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E214323
                        Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,0_2_6E1DF364
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E21E3EF
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E21E00E
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E21E077
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E21E112
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E213952
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E1DF1B7
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6E21E19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E21DF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6E21DD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E213952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E21E61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6E21E6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6E21E518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E214323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,2_2_6E1DF364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E21E3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E21E00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E21E077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E21E112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E1DF1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_6E21E19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,22_2_6E21DF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,22_2_6E21DD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,22_2_6E213952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,22_2_6E21E61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,22_2_6E21E6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,22_2_6E21E518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,22_2_6E214323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,22_2_6E1DF364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,22_2_6E21E3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,22_2_6E21E00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,22_2_6E21E077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,22_2_6E21E112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,22_2_6E1DF1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,22_2_6E21E19F
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C9A14 GetSystemTimeAsFileTime,0_2_6E1C9A14
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21877C _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_6E21877C

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: WoyEsA8v7H.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000016.00000002.570061995.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.523416376.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.590312640.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.552879000.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.545510346.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.574510952.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE

                        Remote Access Functionality:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: WoyEsA8v7H.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000016.00000002.570061995.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.523416376.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.590312640.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.552879000.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.545510346.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.574510952.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 22.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1A16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_6E1A16BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1A16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_6E1A16BC

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 432585 Sample: WoyEsA8v7H.dll Startdate: 10/06/2021 Architecture: WINDOWS Score: 64 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected  Ursnif 2->63 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 17->29         started        31