Loading ...

Play interactive tourEdit tour

Analysis Report KAsJ2r4XYY.dll

Overview

General Information

Sample Name:KAsJ2r4XYY.dll
Analysis ID:381747
MD5:2d242e5ea5fbb1541d1c72b6a01236f6
SHA1:1c593344883c0db0f34a917381ea7865cbfceba2
SHA256:d7102c2bee0abe8f04f3faf34374462dbe7b528f3de6492b6e9ce230a5a8d5ef
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5904 cmdline: loaddll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3728 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5944 cmdline: rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2212 cmdline: rundll32.exe C:\Users\user\Desktop\KAsJ2r4XYY.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6348 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6400 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6348 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 7164 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3420 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5200 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1268 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5068 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.430938761.000000000526D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.352421951.000000000536B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.352356466.000000000536B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.352397565.000000000536B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.352410447.000000000536B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.9a0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                2.2.rundll32.exe.36c0000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.2.rundll32.exe.2fe0000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.4ff94a0.4.raw.unpackMalware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KAsJ2r4XYY.dllVirustotal: Detection: 52%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: KAsJ2r4XYY.dllJoe Sandbox ML: detected
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: KAsJ2r4XYY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009212D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_009212D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B212D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_04B212D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: global trafficTCP traffic: 192.168.2.3:49748 -> 185.243.114.196:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.20.drString found in binary or memory: http://feross.org
                      Source: {5CD1EFE9-95B2-11EB-90E4-ECF4BB862DED}.dat.25.dr, ~DFB944C173FC982650.TMP.25.drString found in binary or memory: http://under17.com/joomla/X_2FkL3FeOxUDMJ/FYE4xQai74UAgYvt6w/rz9YymYaY/A1831r9BfghFj3EKo2Ac/ILaAjMeO
                      Source: ~DF76D71240BBB52F37.TMP.19.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/ein-trick-soll-auslandschweizern-in-der-ferne-helfen-
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/digital/tilman-santarius-einmal-zoomen-statt-bahn-spart-90-pro
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/k
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/papst-franziskus-warnt-vor-r
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/bundesregierung-stuft-niederlande-als-hochinzidenzgebi
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/corona-jens-spahn-plant-freiheiten-f
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/jeder-mensch-kann-europa-ver
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/stuttgart-querdenker-demo-alle-emp
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/union-s
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/schweizer-pass-nach-der-schulzeit-junge-glp-will-einb
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/taucherin-tot-aus-dem-rhein-geborgen/ar-BB1fi1Ia?o
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/briten-wollen-impfnachweise-nach-israelischem-vorbild-einf
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/deutschlands-star-virologe-empfiehlt-ernsthaften-lockdown-so-wi
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/die-st-galler-stadtpolizei-bereitet-sich-auf-eine-weitere-krawa
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/ich-w
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/iran-keine-verhandlungen-mit-usa-bei-atomtreffen-in-wien/ar-BB1
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/r
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/t
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/unruhen-in-nordirland-demonstranten-setzen-autos-in-brand-und-g
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/news/other/weitere-proteste-in-myanmar-ostereier-mit-parolen-gegen-die-jun
                      Source: msnpopularnow[1].json.28.drString found in binary or memory: https://www.msn.com/de-ch/reisen/artikel/berghuus-radons-in-der-schweiz-ein-hoch-auf-die-schweinebac

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.469880378.0000000002FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.468304011.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.233568120.00000000036C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fe0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.430938761.000000000526D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352421951.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352356466.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352397565.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352410447.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352378361.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352447282.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5944, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.469880378.0000000002FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.468304011.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.233568120.00000000036C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fe0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.430938761.000000000526D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352421951.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352356466.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352397565.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352410447.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352378361.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352447282.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5944, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D9F NtMapViewOfSection,0_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,0_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002375 NtQueryVirtualMemory,0_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009283B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_009283B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092B341 NtQueryVirtualMemory,0_2_0092B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B283B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04B283B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B2B341 NtQueryVirtualMemory,3_2_04B2B341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A348F0_2_026A348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A596E0_2_026A596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A237B0_2_026A237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B0_2_026A247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A5C760_2_026A5C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A13740_2_026A1374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A554B0_2_026A554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A48590_2_026A4859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A64240_2_026A6424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A10000_2_026A1000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A19180_2_026A1918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A33140_2_026A3314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A28EB0_2_026A28EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A20EE0_2_026A20EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A52EC0_2_026A52EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A5AF60_2_026A5AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A3BDB0_2_026A3BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A3FA80_2_026A3FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A3A850_2_026A3A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A1B950_2_026A1B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021540_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009240940_2_00924094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009297F20_2_009297F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092B11C0_2_0092B11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0366348F2_2_0366348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0366596E2_2_0366596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03665C762_2_03665C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036613742_2_03661374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0366237B2_2_0366237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0366247B2_2_0366247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0366554B2_2_0366554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036648592_2_03664859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036664242_2_03666424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036610002_2_03661000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036633142_2_03663314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036619182_2_03661918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036620EE2_2_036620EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036652EC2_2_036652EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_036628EB2_2_036628EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03665AF62_2_03665AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03663BDB2_2_03663BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03663FA82_2_03663FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03663A852_2_03663A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03661B952_2_03661B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B240943_2_04B24094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B297F23_2_04B297F2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B2B11C3_2_04B2B11C
                      Source: KAsJ2r4XYY.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal84.troj.winDLL@18/115@6/1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0092757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF151D54B9C8834E13.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KAsJ2r4XYY.dll,StartService
                      Source: KAsJ2r4XYY.dllVirustotal: Detection: 52%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KAsJ2r4XYY.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6348 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17418 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KAsJ2r4XYY.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6348 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7164 CREDAT:17418 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1268 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: KAsJ2r4XYY.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_026A34A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_026A3632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A348F push 00000000h; mov dword ptr [esp], edx0_2_026A37FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A348F push edx; mov dword ptr [esp], 00000002h0_2_026A384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A348F push 00000000h; mov dword ptr [esp], ecx0_2_026A38D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A6194 push eax; mov dword ptr [esp], 00000004h0_2_026A61AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A6194 push esi; mov dword ptr [esp], 00001000h0_2_026A61B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A6194 push 00000000h; mov dword ptr [esp], ebp0_2_026A6267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A237B push 00000000h; mov dword ptr [esp], edi0_2_026A2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A237B push 00000000h; mov dword ptr [esp], ecx0_2_026A2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A237B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_026A269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A237B push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_026A2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A237B push edi; mov dword ptr [esp], 00000004h0_2_026A2759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B push 00000000h; mov dword ptr [esp], eax0_2_026A2498
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B push 00000000h; mov dword ptr [esp], edi0_2_026A2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B push 00000000h; mov dword ptr [esp], ecx0_2_026A2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_026A269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_026A2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A247B push edi; mov dword ptr [esp], 00000004h0_2_026A2759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi0_2_026A48B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push dword ptr [ebp-10h]; mov dword ptr [esp], edx0_2_026A490D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push 00000000h; mov dword ptr [esp], ecx0_2_026A4918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push dword ptr [ebp-10h]; mov dword ptr [esp], edi0_2_026A4990
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_026A4A23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push 00000000h; mov dword ptr [esp], ebp0_2_026A4A2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push ebx; mov dword ptr [esp], 00000001h0_2_026A4AD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax0_2_026A4BE3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push 00000000h; mov dword ptr [esp], edx0_2_026A4C36
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push dword ptr [ebp-08h]; mov dword ptr [esp], edi0_2_026A4D62
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push 00000000h; mov dword ptr [esp], edx0_2_026A4D67
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A4859 push 00000000h; mov dword ptr [esp], ecx0_2_026A4D74

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.469880378.0000000002FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.468304011.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.233568120.00000000036C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fe0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.430938761.000000000526D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352421951.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352356466.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352397565.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352410447.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352378361.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352447282.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5944, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 418Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009212D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_009212D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04B212D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_04B212D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_026A2DF5 or edx, dword ptr fs:[00000030h]0_2_026A2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_03662DF5 or edx, dword ptr fs:[00000030h]2_2_03662DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KAsJ2r4XYY.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.469842682.0000000001290000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.470506785.0000000003550000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.469842682.0000000001290000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.470506785.0000000003550000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.469842682.0000000001290000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.470506785.0000000003550000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.469842682.0000000001290000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.470506785.0000000003550000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092269C cpuid 0_2_0092269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_1000102F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0092269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_0092269C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_10001850

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.469880378.0000000002FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.468304011.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.233568120.00000000036C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fe0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.430938761.000000000526D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352421951.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352356466.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352397565.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352410447.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352378361.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352447282.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5944, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000002.469880378.0000000002FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.468304011.00000000009A0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.233568120.00000000036C0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.loaddll32.exe.9a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.36c0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2fe0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.430938761.000000000526D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352421951.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352356466.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352397565.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352410447.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352378361.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.352447282.000000000536B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5944, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue