Windows Analysis Report 945.dll

Overview

General Information

Sample Name: 945.dll
Analysis ID: 448650
MD5: 9453981ab8e71981bea907b3f2d11395
SHA1: ca0f69ef71bf287bdd19a8a9811c1f0dd2ff50e6
SHA256: fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000003.298516419.00000000007A0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 945.dll Metadefender: Detection: 22% Perma Link
Source: 945.dll ReversingLabs: Detection: 58%

Compliance:

barindex
Uses 32bit PE files
Source: 945.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 945.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.493176321.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.495266949.000000006E234000.00000002.00020000.sdmp, 945.dll

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49731 -> 40.97.116.82:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49749 -> 37.120.222.6:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49749 -> 37.120.222.6:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 37.120.222.6:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.128.194 40.97.128.194
Source: Joe Sandbox View IP Address: 52.97.232.194 52.97.232.194
Source: global traffic HTTP traffic detected: GET /grower/YjL_2BjDOrQaqruzKZl/J5qQT1PxhAWv_2ByqUpS3r/fw5c6vWOUvogF/fDf6v7zv/NA3IFZsX5L82cDak57at8n5/D4Cfgi7tVz/ry3I5zo4IJ_2BIobC/5nWwD7akwp5A/XzqLAJr21mH/cjfkiJFlq9y77G/1bzeLjs6zco1VtNrrz8EL/tJlbiHzqPNR1Mami/EAf48einPLf/Q.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: outlook.com
Source: ~DF64A2AAB8E5E3DF4B.TMP.19.dr, {7370D523-E4F5-11EB-90E4-ECF4BB862DED}.dat.19.dr String found in binary or memory: https://outlook.office365.com/grower/XdjQoGbnNj_2FSimi4F/g1n0hL2Ovi8UAiji8IT8vO/AZ50N9cBD7ouh/W9Stcu
Source: rundll32.exe, 00000003.00000003.390626600.0000000002D64000.00000004.00000001.sdmp, ~DFEA5774EEA628D538.TMP.19.dr, {7370D521-E4F5-11EB-90E4-ECF4BB862DED}.dat.19.dr String found in binary or memory: https://outlook.office365.com/grower/YjL_2BjDOrQaqruzKZl/J5qQT1PxhAWv_2ByqUpS3r/fw5c6vWOUvogF/fDf6v7
Source: rundll32.exe, 00000003.00000002.490596255.0000000002CFA000.00000004.00000020.sdmp String found in binary or memory: https://www.redtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1996 GetProcAddress,NtCreateSection,memset, 0_2_6E1F1996
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1A44 NtMapViewOfSection, 0_2_6E1F1A44
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F23A5 NtQueryVirtualMemory, 0_2_6E1F23A5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F2184 0_2_6E1F2184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2117B0 0_2_6E2117B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E224E00 0_2_6E224E00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22BE61 0_2_6E22BE61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220DB8 0_2_6E220DB8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2205E5 0_2_6E2205E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2288B7 0_2_6E2288B7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2309C8 0_2_6E2309C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2117B0 3_2_6E2117B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E224E00 3_2_6E224E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E22BE61 3_2_6E22BE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E220DB8 3_2_6E220DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2205E5 3_2_6E2205E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2288B7 3_2_6E2288B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2309C8 3_2_6E2309C8
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E223290 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E223290 appears 39 times
Uses 32bit PE files
Source: 945.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal80.troj.winDLL@18/7@34/7
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF08C928D5E36F5DDB.TMP Jump to behavior
Source: 945.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Clockcondition
Source: 945.dll Metadefender: Detection: 22%
Source: 945.dll ReversingLabs: Detection: 58%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\945.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\945.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Clockcondition
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\945.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Sing
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Wholegray
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17414 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\945.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Clockcondition Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Dogwhen Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Sing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Wholegray Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\945.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17414 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 945.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 945.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.493176321.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.495266949.000000006E234000.00000002.00020000.sdmp, 945.dll
Source: 945.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 945.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 945.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 945.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 945.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress, 0_2_6E1F1BAC
PE file contains an invalid checksum
Source: 945.dll Static PE information: real checksum: 0x6292a should be: 0x68280
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F2120 push ecx; ret 0_2_6E1F2129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F2173 push ecx; ret 0_2_6E1F2183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E21DE07 push ecx; ret 0_2_6E21DE1A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2232D5 push ecx; ret 0_2_6E2232E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E20103D push cs; ret 0_2_6E20103E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E21DE07 push ecx; ret 3_2_6E21DE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E203276 push ebx; ret 3_2_6E20328A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E203244 pushad ; ret 3_2_6E203270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2232D5 push ecx; ret 3_2_6E2232E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E202AD8 push edx; retf 3_2_6E202AD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E20103D push cs; ret 3_2_6E20103E

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E22AFAC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E22AFAC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress, 0_2_6E1F1BAC
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E24E2D8 mov eax, dword ptr fs:[00000030h] 0_2_6E24E2D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E24E207 mov eax, dword ptr fs:[00000030h] 0_2_6E24E207
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E24DE0E push dword ptr fs:[00000030h] 0_2_6E24DE0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E24E2D8 mov eax, dword ptr fs:[00000030h] 3_2_6E24E2D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E24E207 mov eax, dword ptr fs:[00000030h] 3_2_6E24E207
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E24DE0E push dword ptr fs:[00000030h] 3_2_6E24DE0E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E223484 GetProcessHeap, 0_2_6E223484
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E21FEBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E21FEBA

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\945.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6E22EC14
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E22EE88
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E22EEC8
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E22EF45
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E22EFC8
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6E222C5A
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E222A26
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E22F2E7
Source: C:\Windows\System32\loaddll32.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 0_2_6E22CB0D
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6E22AB64
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6E22F394
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_6E21E036
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_6E22D10F
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E2229A0
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E22F1BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 3_2_6E22EC14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 3_2_6E222C5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_6E22D10F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E22EE88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6E22EEC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6E22EF45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6E22EFC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E222A26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E22F2E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 3_2_6E22CB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_6E22AB64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 3_2_6E22F394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 3_2_6E21E036
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E2229A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6E22F1BD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E1F1ADA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E1F1F0E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs