Loading ...

Play interactive tourEdit tour

Windows Analysis Report ELQSEuKior

Overview

General Information

Sample Name:ELQSEuKior (renamed file extension from none to dll)
Analysis ID:449061
MD5:2f1e2c8b741594e48eea9cf01e24cdba
SHA1:d6a59cfcfd712ad2b7124a9f812d5c6ed328ab84
SHA256:ff12254275bb4cae4f1225535408dd466bf0a4d41727abca9576dbb427f44014
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Parent Process Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 1084 cmdline: loaddll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6108 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6032 cmdline: rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 3236 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • conhost.exe (PID: 1276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 852 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 4604 cmdline: rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Connectdark MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6000 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5072 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5848 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6132 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • rundll32.exe (PID: 4120 cmdline: rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Mindlake MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 772 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5288 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • conhost.exe (PID: 2100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5932 cmdline: rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Porthigh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 4608 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5868 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5672 cmdline: rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Problemscale MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4848 cmdline: rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,WingGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 4196 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • cmd.exe (PID: 4020 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4960 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 852 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
ELQSEuKior.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              15.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.6e1e0000.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  25.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    21.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                      2.2.rundll32.exe.6e1e0000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                        Click to see the 2 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Conhost Parent Process ExecutionsShow sources
                        Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\cmd.exe /c cd Island, CommandLine: C:\Windows\system32\cmd.exe /c cd Island, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 5672, ProcessCommandLine: C:\Windows\system32\cmd.exe /c cd Island, ProcessId: 5848

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: ELQSEuKior.dllAvira: detected
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: ELQSEuKior.dllVirustotal: Detection: 67%Perma Link
                        Source: ELQSEuKior.dllMetadefender: Detection: 57%Perma Link
                        Source: ELQSEuKior.dllReversingLabs: Detection: 89%
                        Source: ELQSEuKior.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: ELQSEuKior.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.490375280.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507696729.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.483332321.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.486289723.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.503913812.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.512153585.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.503906509.000000006E26A000.00000002.00020000.sdmp, ELQSEuKior.dll

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: ELQSEuKior.dll, type: SAMPLE
                        Source: Yara matchFile source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: loaddll32.exe, 00000000.00000002.490259189.00000000010BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        E-Banking Fraud:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: ELQSEuKior.dll, type: SAMPLE
                        Source: Yara matchFile source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E223E000_2_6E223E00
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E221C3C0_2_6E221C3C
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2567D90_2_6E2567D9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2484BB0_2_6E2484BB
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2602BC0_2_6E2602BC
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2503960_2_6E250396
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23E0790_2_6E23E079
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2351500_2_6E235150
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2261B20_2_6E2261B2
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E223E002_2_6E223E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E221C3C2_2_6E221C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2567D92_2_6E2567D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2484BB2_2_6E2484BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2602BC2_2_6E2602BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2503962_2_6E250396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E23E0792_2_6E23E079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2351502_2_6E235150
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E223E003_2_6E223E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E221C3C3_2_6E221C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2567D93_2_6E2567D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2484BB3_2_6E2484BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2602BC3_2_6E2602BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2503963_2_6E250396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E23E0793_2_6E23E079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2351503_2_6E235150
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E220990 appears 35 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E2200AC appears 101 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E220990 appears 68 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E2423A9 appears 36 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E2200AC appears 200 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E2200E0 appears 58 times
                        Source: ELQSEuKior.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: classification engineClassification label: mal64.troj.winDLL@53/0@0/0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1124:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2100:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_01
                        Source: ELQSEuKior.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Connectdark
                        Source: ELQSEuKior.dllVirustotal: Detection: 67%
                        Source: ELQSEuKior.dllMetadefender: Detection: 57%
                        Source: ELQSEuKior.dllReversingLabs: Detection: 89%
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll'
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Connectdark
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Mindlake
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Porthigh
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,Problemscale
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,WingGrass
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,ConnectdarkJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,MindlakeJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,PorthighJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ELQSEuKior.dll,WingGrassJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: ELQSEuKior.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: ELQSEuKior.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.490375280.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507696729.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.483332321.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.486289723.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.503913812.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.512153585.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.503906509.000000006E26A000.00000002.00020000.sdmp, ELQSEuKior.dll
                        Source: ELQSEuKior.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: ELQSEuKior.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: ELQSEuKior.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: ELQSEuKior.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: ELQSEuKior.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: ELQSEuKior.dllStatic PE information: real checksum: 0xf3990 should be: 0xeef60
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2209D6 push ecx; ret 0_2_6E2209E9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220075 push ecx; ret 0_2_6E220088
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2209D6 push ecx; ret 2_2_6E2209E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E220075 push ecx; ret 2_2_6E220088
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2209D6 push ecx; ret 3_2_6E2209E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E220075 push ecx; ret 3_2_6E220088

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: ELQSEuKior.dll, type: SAMPLE
                        Source: Yara matchFile source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeAPI coverage: 5.0 %
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.9 %
                        Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 5.2 %
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                        Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E241F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E24966F mov eax, dword ptr fs:[00000030h]0_2_6E24966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E24966F mov eax, dword ptr fs:[00000030h]2_2_6E24966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24966F mov eax, dword ptr fs:[00000030h]3_2_6E24966F
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E241F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E2207A7
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E220288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E241F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E2207A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E220288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E241F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E2207A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E220288
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ELQSEuKior.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                        Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: loaddll32.exe, 00000000.00000002.490278339.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.490903193.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.483251491.00000000039E0000.00000002.00000001.sdmp, rundll32.exe, 0000000C.00000002.474301611.0000000003510000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503824249.0000000003480000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.499291261.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000019.00000002.469760554.0000000002FD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220604 cpuid 0_2_6E220604
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E25DF65
                        Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6E25DD96
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E253952
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E25E61F
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6E25E6EC
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E25E518
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E254323
                        Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,0_2_6E21F364
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E25E3EF
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E25E00E
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E25E077
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E25E112
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E21F1B7
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6E25E19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E25DF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6E25DD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E253952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E25E61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6E25E6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6E25E518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E254323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,2_2_6E21F364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E25E3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E25E00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E25E077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E25E112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E21F1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_6E25E19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E25DF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6E25DD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E253952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E25E61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6E25E6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E25E518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E254323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,3_2_6E21F364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E25E3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E25E00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E25E077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E25E112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E21F1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6E25E19F
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E209A14 GetSystemTimeAsFileTime,0_2_6E209A14
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E258951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_6E258951

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: ELQSEuKior.dll, type: SAMPLE
                        Source: Yara matchFile source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY

                        Remote Access Functionality:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: ELQSEuKior.dll, type: SAMPLE
                        Source: Yara matchFile source: 15.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 25.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 12.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000C.00000002.486237999.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.507296216.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.491922041.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000019.00000002.485057539.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.483288618.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.503861971.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.490312079.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_6E1E16BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_6E1E16BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,3_2_6E1E16BC

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 449061 Sample: ELQSEuKior Startdate: 15/07/2021 Architecture: WINDOWS Score: 64 70 Antivirus / Scanner detection for submitted sample 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected  Ursnif 2->74 10 loaddll32.exe 1 2->10         started        process3 process4 12 cmd.exe 1 10->12         started        14 rundll32.exe 10->14         started        16 rundll32.exe 10->16         started        18 5 other processes 10->18 process5 20 rundll32.exe 12->20         started        22 cmd.exe 1 14->22         started        24 cmd.exe 1 14->24         started        26 cmd.exe 1 16->26         started        28 cmd.exe 1 16->28         started        30 cmd.exe 1 18->30         started        32 cmd.exe 1 18->32         started        34 cmd.exe