Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Processwindo.DLL

Overview

General Information

Sample Name:Processwindo.DLL
Analysis ID:445292
MD5:5522c21a05daf91658951bdf1c0e5271
SHA1:fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
SHA256:eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5572 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5884 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5996 cmdline: rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5984 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5560 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5540 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4308 cmdline: rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cmd.exe (PID: 1388 cmdline: 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • timeout.exe (PID: 5136 cmdline: timeout /t 5 MD5: EB9A65078396FB5D4E3813BB9198CB18)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 37 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: Processwindo.DLLVirustotal: Detection: 29%Perma Link
            Source: Processwindo.DLLReversingLabs: Detection: 21%
            Source: 0.3.loaddll32.exe.baa1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 6.3.rundll32.exe.315a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 2.3.rundll32.exe.446a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 3.3.rundll32.exe.27da1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 4.3.rundll32.exe.284a1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 5.3.rundll32.exe.29ca1db.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: Processwindo.DLLStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL
            Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: rundll32.exeString found in binary or memory: https://bussipod.xyz
            Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmpString found in binary or memory: https://bussipod.xyz8

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD72411 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD721F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD9BCA0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDAC5F4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB48D1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA9813
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD997C0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB67FE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4B80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB5359
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB4E15
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DDA8D18 appears 47 times
            Source: Processwindo.DLLStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal56.troj.winDLL@17/0@0/0
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_01
            Source: Processwindo.DLLStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
            Source: Processwindo.DLLVirustotal: Detection: 29%
            Source: Processwindo.DLLReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Processwindo.DLLStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Processwindo.DLLStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD721DF push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA8D5D push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD80D55 push edi; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD80CDF push 00000065h; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA54F2 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD80881 push ebx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD0560 push eax; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD04E1 push eax; ret

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD1390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD0EC6 push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDD12BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDB1CF3 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA5170 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA110C _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDA4724 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 5
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6DDAFB69 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSSystem Information Discovery13Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 445292 Sample: Processwindo.DLL Startdate: 07/07/2021 Architecture: WINDOWS Score: 56 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected  Ursnif 2->27 7 loaddll32.exe 1 2->7         started        9 cmd.exe 1 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        21 2 other processes 7->21 17 conhost.exe 9->17         started        19 timeout.exe 9->19         started        process5 23 rundll32.exe 11->23         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Processwindo.DLL29%VirustotalBrowse
            Processwindo.DLL22%ReversingLabsWin32.Trojan.Ursnif

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.2.rundll32.exe.6dd70000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            0.3.loaddll32.exe.baa1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            6.3.rundll32.exe.315a1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            2.3.rundll32.exe.446a1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            3.3.rundll32.exe.27da1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            4.3.rundll32.exe.284a1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            5.3.rundll32.exe.29ca1db.0.unpack100%AviraTR/Patched.Ren.GenDownload File
            6.2.rundll32.exe.6dd70000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://bussipod.xyz0%Avira URL Cloudsafe
            https://bussipod.xyz80%Avira URL Cloudsafe
            http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://bussipod.xyzrundll32.exefalse
            • Avira URL Cloud: safe
            		unknown
            https://bussipod.xyz8rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmpfalse
            • Avira URL Cloud: safe
            		low

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:32.0.0 Black Diamond
            Analysis ID:445292
            Start date:07.07.2021
            Start time:14:59:18
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 36s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:Processwindo.DLL
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:14
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal56.troj.winDLL@17/0@0/0
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 6.7% (good quality ratio 6.7%)
            • Quality average: 87.7%
            • Quality standard deviation: 20.5%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .DLL
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): audiodg.exe, backgroundTaskHost.exe, svchost.exe
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.667040453584233
            TrID:
            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
            • Generic Win/DOS Executable (2004/3) 0.20%
            • DOS Executable Generic (2002/1) 0.20%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:Processwindo.DLL
            File size:404992
            MD5:5522c21a05daf91658951bdf1c0e5271
            SHA1:fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
            SHA256:eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
            SHA512:d97a8021b9688c612e280ffcb5443916b9d09857daf82a62bd5efac35efeff138125466a74579568dd655cd66cd5085e10cedb4caf7981f4ee9f240839b33d55
            SSDEEP:6144:h8vockvtMD67Dvy8CyOuq107KjWMTxdtcrsianUAqPt/MmG3G/GERIgg:SwhtCy50mpMTxdtV8AqPtM3gN
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f..."..."...".....:.#...<.9.7...<./.....+.?.+..."...V...<.(.....<.>.#...<.8.#...<.=.#...Rich"...........PE..L....6JJ...........

            File Icon

            Icon Hash:74f0e4ecccdce0e4

            Static PE Info

            General

            Entrypoint:0x103514d
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x1000000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            DLL Characteristics:DYNAMIC_BASE
            Time Stamp:0x4A4A368F [Tue Jun 30 16:00:15 2009 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:0
            File Version Major:5
            File Version Minor:0
            Subsystem Version Major:5
            Subsystem Version Minor:0
            Import Hash:789fcca066875e59aafcb5a18bb50d1b

            Entrypoint Preview

            Instruction
            mov edi, edi
            push ebp
            mov ebp, esp
            cmp dword ptr [ebp+0Ch], 01h
            jne 00007F0C40C01427h
            call 00007F0C40C0BE31h
            push dword ptr [ebp+08h]
            mov ecx, dword ptr [ebp+10h]
            mov edx, dword ptr [ebp+0Ch]
            call 00007F0C40C01311h
            pop ecx
            pop ebp
            retn 000Ch
            mov edi, edi
            push ebp
            mov ebp, esp
            sub esp, 00000328h
            mov eax, dword ptr [0105F454h]
            xor eax, ebp
            mov dword ptr [ebp-04h], eax
            test byte ptr [0105F4D0h], 00000001h
            push esi
            je 00007F0C40C0142Ah
            push 0000000Ah
            call 00007F0C40C0641Fh
            pop ecx
            call 00007F0C40C0BEDDh
            test eax, eax
            je 00007F0C40C0142Ah
            push 00000016h
            call 00007F0C40C0BEDFh
            pop ecx
            test byte ptr [0105F4D0h], 00000002h
            je 00007F0C40C014F0h
            mov dword ptr [ebp-00000220h], eax
            mov dword ptr [ebp-00000224h], ecx
            mov dword ptr [ebp-00000228h], edx
            mov dword ptr [ebp-0000022Ch], ebx
            mov dword ptr [ebp-00000230h], esi
            mov dword ptr [ebp-00000234h], edi
            mov word ptr [ebp-00000208h], ss
            mov word ptr [ebp-00000214h], cs
            mov word ptr [ebp-00000238h], ds
            mov word ptr [ebp-0000023Ch], es
            mov word ptr [ebp-00000240h], fs
            mov word ptr [ebp-00000244h], gs
            pushfd
            pop dword ptr [ebp-00000210h]
            mov esi, dword ptr [ebp+04h]
            lea eax, dword ptr [ebp+04h]
            mov dword ptr [ebp+00FFFDF4h], eax

            Rich Headers

            Programming Language:
            • [ C ] VS2008 build 21022
            • [ASM] VS2008 build 21022
            • [LNK] VS2008 build 21022
            • [RES] VS2008 build 21022
            • [EXP] VS2008 build 21022
            • [IMP] VS2008 SP1 build 30729
            • [C++] VS2008 build 21022

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x5e6100x81.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x5dc340x64.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000xf20.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfd0000x227c.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x482200x1c.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5c3b80x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x480000x1b0.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x462fd0x46400False0.664559469528data6.60751707607IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rdata0x480000x166910x16800False0.645388454861data6.06930496404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x5f0000x9c2080x1800False0.340494791667data3.97938828996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0xfc0000xf200x1000False0.352783203125data3.32902550096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xfd0000x35080x3600False0.521050347222data5.1466661049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_DIALOG0xfc2800xe4dataEnglishUnited States
            RT_DIALOG0xfc3680xf0dataEnglishUnited States
            RT_DIALOG0xfc4580xc4dBase III DBT, next free block index 4294901761EnglishUnited States
            RT_DIALOG0xfc5200x142dataEnglishUnited States
            RT_DIALOG0xfc6680x11edataEnglishUnited States
            RT_DIALOG0xfc7880x148dataEnglishUnited States
            RT_DIALOG0xfc8d00x13cdataEnglishUnited States
            RT_DIALOG0xfca100xf0dataEnglishUnited States
            RT_DIALOG0xfcb000xccdataEnglishUnited States
            RT_DIALOG0xfcbd00x10adataEnglishUnited States
            RT_DIALOG0xfcce00xbedataEnglishUnited States
            RT_MANIFEST0xfcda00x17dXML 1.0 document textEnglishUnited States

            Imports

            DLLImport
            KERNEL32.dllGetProcAddress, LoadLibraryA, GetEnvironmentVariableA, VirtualProtectEx, GetModuleFileNameA, GetWindowsDirectoryA, SetConsoleCP, SetConsoleOutputCP, GetModuleHandleA, Sleep, GetLocaleInfoW, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, InitializeCriticalSectionAndSpinCount, GetProcessHeap, SetEndOfFile, GlobalLock, QueryPerformanceFrequency, GlobalAlloc, SetUnhandledExceptionFilter, CreatePipe, GlobalFree, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, MultiByteToWideChar, GetLastError, CloseHandle, HeapAlloc, RtlUnwind, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, IsDebuggerPresent, GetCurrentThreadId, GetCommandLineA, HeapFree, GetCPInfo, LCMapStringA, LCMapStringW, GetFileType, CreateFileA, SetStdHandle, SetHandleCount, GetStdHandle, GetStartupInfoA, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, HeapDestroy, GetModuleHandleW, ExitProcess, WriteFile, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, GetConsoleCP, GetConsoleMode, FlushFileBuffers, ReadFile, SetFilePointer
            USER32.dllSetForegroundWindow, CheckRadioButton, SetClipboardData, DestroyWindow, SendMessageA, GetClipboardData, SendDlgItemMessageA
            ole32.dllOleInitialize, OleUninitialize
            IMM32.dllImmNotifyIME, ImmSetCompositionFontA, ImmGetContext, ImmGetCompositionStringA, ImmSetCompositionWindow, ImmReleaseContext

            Exports

            NameOrdinalAddress
            Formweather10x102c6b0
            Piecehear20x102c420
            Stickregion30x102b3f0
            Would40x102c510

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: loaddll32.exe PID: 5572 Parent PID: 5780

            General

            Start time:15:00:09
            Start date:07/07/2021
            Path:C:\Windows\System32\loaddll32.exe
            Wow64 process (32bit):true
            Commandline:loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL'
            Imagebase:0xaa0000
            File size:116736 bytes
            MD5 hash:542795ADF7CC08EFCF675D65310596E8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: cmd.exe PID: 5884 Parent PID: 5572

            General

            Start time:15:00:09
            Start date:07/07/2021
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Imagebase:0x150000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: rundll32.exe PID: 5984 Parent PID: 5572

            General

            Start time:15:00:09
            Start date:07/07/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
            Imagebase:0x170000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 5996 Parent PID: 5884

            General

            Start time:15:00:09
            Start date:07/07/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
            Imagebase:0x170000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 5560 Parent PID: 5572

            General

            Start time:15:00:14
            Start date:07/07/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
            Imagebase:0x170000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 5540 Parent PID: 5572

            General

            Start time:15:00:20
            Start date:07/07/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
            Imagebase:0x170000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: rundll32.exe PID: 4308 Parent PID: 5572

            General

            Start time:15:00:25
            Start date:07/07/2021
            Path:C:\Windows\SysWOW64\rundll32.exe
            Wow64 process (32bit):true
            Commandline:rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
            Imagebase:0x170000
            File size:61952 bytes
            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, Author: Joe Security
            Reputation:high

            Analysis Process: cmd.exe PID: 1388 Parent PID: 3472

            General

            Start time:15:02:09
            Start date:07/07/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL'
            Imagebase:0x7ff7eef80000
            File size:273920 bytes
            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 1308 Parent PID: 1388

            General

            Start time:15:02:10
            Start date:07/07/2021
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Analysis Process: timeout.exe PID: 5136 Parent PID: 1388

            General

            Start time:15:02:17
            Start date:07/07/2021
            Path:C:\Windows\System32\timeout.exe
            Wow64 process (32bit):
            Commandline:timeout /t 5
            Imagebase:
            File size:30720 bytes
            MD5 hash:EB9A65078396FB5D4E3813BB9198CB18
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            Disassembly

            Code Analysis

            Reset < >