Loading ...

Play interactive tourEdit tour

Windows Analysis Report Processwindo.DLL

Overview

General Information

Sample Name:Processwindo.DLL
Analysis ID:445292
MD5:5522c21a05daf91658951bdf1c0e5271
SHA1:fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
SHA256:eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5572 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5884 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5996 cmdline: rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5984 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5560 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5540 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4308 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cmd.exe (PID: 1388 cmdline: 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • timeout.exe (PID: 5136 cmdline: timeout /t 5 MD5: EB9A65078396FB5D4E3813BB9198CB18)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 37 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: Processwindo.DLLVirustotal: Detection: 29%Perma Link
            Source: Processwindo.DLLReversingLabs: Detection: 21%
            Source: 0.3.loaddll32.exe.baa1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 6.3.rundll32.exe.315a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 2.3.rundll32.exe.446a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 3.3.rundll32.exe.27da1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 4.3.rundll32.exe.284a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 5.3.rundll32.exe.29ca1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: Processwindo.DLLStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL
            Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: rundll32.exeString found in binary or memory: https://bussipod.xyz
            Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmpString found in binary or memory: https://bussipod.xyz8

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD72411 NtQueryVirtualMemory,6_2_6DD72411
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD721F06_2_6DD721F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD9BCA06_2_6DD9BCA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDAC5F46_2_6DDAC5F4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB48D16_2_6DDB48D1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA98136_2_6DDA9813
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD997C06_2_6DD997C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB67FE6_2_6DDB67FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4B806_2_6DDA4B80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB53596_2_6DDB5359
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB4E156_2_6DDB4E15
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DDA8D18 appears 47 times
            Source: Processwindo.DLLStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal56.troj.winDLL@17/0@0/0
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_01
            Source: Processwindo.DLLStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
            Source: Processwindo.DLLVirustotal: Detection: 29%
            Source: Processwindo.DLLReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,FormweatherJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,PiecehearJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,StickregionJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,WouldJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress,6_2_6DD7132A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD721DF push ecx; ret 6_2_6DD721EF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA8D5D push ecx; ret 6_2_6DDA8D70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD80D55 push edi; iretd 6_2_6DD80D56
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD80CDF push 00000065h; retf 6_2_6DD80CE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA54F2 push ecx; ret 6_2_6DDA5505
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD80881 push ebx; ret 6_2_6DD80882
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD0560 push eax; ret 6_2_6DDD0511
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD04E1 push eax; ret 6_2_6DDD0511

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6DDA4CBF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress,6_2_6DD7132A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD1390 mov eax, dword ptr fs:[00000030h]6_2_6DDD1390
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD0EC6 push dword ptr fs:[00000030h]6_2_6DDD0EC6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD12BF mov eax, dword ptr fs:[00000030h]6_2_6DDD12BF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB1CF3 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,6_2_6DDB1CF3
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA5170 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6DDA5170
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA110C _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6DDA110C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6DDA4CBF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4724 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6DDA4724
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,6_2_6DDB119B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,6_2_6DDAA3AB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,6_2_6DDA6F11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,6_2_6DDAAA19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,6_2_6DDAC059
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,6_2_6DDAC403
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,6_2_6DDB482E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,6_2_6DDABFC1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_6DDAC3C7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_6DDAC360
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,6_2_6DDB1329
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,6_2_6DDB46EF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_6DDAC29F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,6_2_6DDB46BB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,6_2_6DDABEAA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDAFB69 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,6_2_6DDAFB69
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 445292 Sample: Processwindo.DLL Startdate: 07/07/2021 Architecture: WINDOWS Score: 56 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected  Ursnif 2->27 7 loaddll32.exe 1 2->7         started        9 cmd.exe 1 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        21 2 other processes 7->21 17 conhost.exe 9->17         started        19 timeout.exe 9->19         started        process5 23 rundll32.exe 11->23         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.