Loading ...

Play interactive tourEdit tour

Analysis Report HP7cjYBnlS

Overview

General Information

Sample Name:HP7cjYBnlS (renamed file extension from none to dll)
Analysis ID:430819
MD5:b8bc8b1740b329ff2baf16bcee6ca23d
SHA1:d9215e03d2ddae00041a4ddd731872025b3ce537
SHA256:aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2160 cmdline: loaddll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5460 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5564 cmdline: rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1288 cmdline: rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3508 cmdline: rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5936 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2396 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "U9rEBqXZSYCa5+IGIsh6bG+yCElOQeh3mm/EbofYWnWn8eEmiiYrJf4LFttt0DUA+39n8FZdgzQ8+SZc3rzhnMPMr8Z4fx3D+fbRo+I1MIlbD4szoKzRpMkx5aTB8Cab5I+DXW6gWdfQr7HECFEcTAwpyJLhfIGXn6KxgwFOnVndUgrjSYq7Gck569kPOO4YXnbUwt69XT2FKUKDeX2hms5/QtXX3Hh9nmWOhvUxbY98vRvvbsLlPzjNF7v0QGIh4X7uypp3Ivkr2P2sMxabdSYOW4HN4JM/VPPFS2qTgX6hwJ09dF8P8HXDM24KI8tEs5YG59SMhcwCDFrBdfAkYEtatx5JFUNCiZ8QoDq+MTA=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "5500", "server": "580", "serpent_key": "w81KRA2f0ixucq4e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2Avira URL Cloud: Label: malware
            Source: http://authd.feronok.com/ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGTAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: 00000005.00000003.328801653.0000000002F30000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "U9rEBqXZSYCa5+IGIsh6bG+yCElOQeh3mm/EbofYWnWn8eEmiiYrJf4LFttt0DUA+39n8FZdgzQ8+SZc3rzhnMPMr8Z4fx3D+fbRo+I1MIlbD4szoKzRpMkx5aTB8Cab5I+DXW6gWdfQr7HECFEcTAwpyJLhfIGXn6KxgwFOnVndUgrjSYq7Gck569kPOO4YXnbUwt69XT2FKUKDeX2hms5/QtXX3Hh9nmWOhvUxbY98vRvvbsLlPzjNF7v0QGIh4X7uypp3Ivkr2P2sMxabdSYOW4HN4JM/VPPFS2qTgX6hwJ09dF8P8HXDM24KI8tEs5YG59SMhcwCDFrBdfAkYEtatx5JFUNCiZ8QoDq+MTA=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "5500", "server": "580", "serpent_key": "w81KRA2f0ixucq4e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: authd.feronok.comVirustotal: Detection: 12%Perma Link
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,4_2_030839C5
            Source: HP7cjYBnlS.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: HP7cjYBnlS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\doctor\223\Top\key\each M\Iron.pdb source: loaddll32.exe, 00000001.00000002.474423465.000000006E242000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.476442754.000000006E242000.00000002.00020000.sdmp, HP7cjYBnlS.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,1_2_6E1DBE2B
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DBA6F FindFirstFileExW,1_2_6E1DBA6F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,4_2_6E1DBE2B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DBA6F FindFirstFileExW,4_2_6E1DBA6F
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2BQXv/jhaYgnRoJXbt0p9E/b8fATrD6qQYegBk/Z_2BGMca1pIbKyE0_2/B6xQROT_2/FVtM7cI_2F4AqKBZTcM8/ka_2F9uVk0Uf7i421qg/djhua0iQVsNSQqZdHOVnOp/1bWWjsxwMvE9P/MwkEBGYh/46lRSAqS_2BR6Lm5JNn7FqF/Gnvaxpv6Hg/PmOIMmhyTSho2PVt_/2FS0IBXGm_2B/SjjfTOvQzGo/_2FqD_2BGuMeOB/vnbxHYtmqGY_2BlpC/_2BvpW HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
            Source: msapplication.xml0.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.23.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: authd.feronok.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Jun 2021 01:05:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {09EF2733-C841-11EB-90E4-ECF4BB862DED}.dat.23.drString found in binary or memory: http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2
            Source: msapplication.xml.23.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.23.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.23.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.23.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.23.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.23.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.23.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.23.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,4_2_030839C5

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B1B9C GetProcAddress,NtCreateSection,memset,1_2_6E1B1B9C
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B1EC7 NtMapViewOfSection,1_2_6E1B1EC7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B2485 NtQueryVirtualMemory,1_2_6E1B2485
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03082D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_03082D06
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03088005 NtQueryVirtualMemory,4_2_03088005
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B22641_2_6E1B2264
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D1EB41_2_6E1D1EB4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C5F801_2_6E1C5F80
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D1C731_2_6E1D1C73
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D1A411_2_6E1D1A41
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C5B501_2_6E1C5B50
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D18001_2_6E1D1800
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C248F1_2_6E1C248F
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D15CE1_2_6E1D15CE
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D25F21_2_6E1D25F2
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1E325A1_2_6E1E325A
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C52401_2_6E1C5240
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1EF2601_2_6E1EF260
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D238D1_2_6E1D238D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D21191_2_6E1D2119
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1E313A1_2_6E1E313A
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1C31631_2_6E1C3163
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030831094_2_03083109
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03087DE04_2_03087DE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030822064_2_03082206
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D1EB44_2_6E1D1EB4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C5F804_2_6E1C5F80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D1C734_2_6E1D1C73
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C248F4_2_6E1C248F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D15CE4_2_6E1D15CE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D25F24_2_6E1D25F2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1E325A4_2_6E1E325A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C52404_2_6E1C5240
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D1A414_2_6E1D1A41
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1EF2604_2_6E1EF260
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C5B504_2_6E1C5B50
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D238D4_2_6E1D238D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D18004_2_6E1D1800
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D21194_2_6E1D2119
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1E313A4_2_6E1E313A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C31634_2_6E1C3163
            Source: HP7cjYBnlS.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal80.troj.winDLL@12/22@2/1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0308513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_0308513E
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF911219CB699D8BEF.TMPJump to behavior
            Source: HP7cjYBnlS.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,LastinchJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,OwnofJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: HP7cjYBnlS.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: HP7cjYBnlS.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\doctor\223\Top\key\each M\Iron.pdb source: loaddll32.exe, 00000001.00000002.474423465.000000006E242000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.476442754.000000006E242000.00000002.00020000.sdmp, HP7cjYBnlS.dll
            Source: HP7cjYBnlS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: HP7cjYBnlS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: HP7cjYBnlS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: HP7cjYBnlS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: HP7cjYBnlS.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B1F7C LoadLibraryA,GetProcAddress,1_2_6E1B1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B2200 push ecx; ret 1_2_6E1B2209
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B2253 push ecx; ret 1_2_6E1B2263
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E282E55 push esi; ret 1_2_6E282E5E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03087DCF push ecx; ret 4_2_03087DDF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03087A60 push ecx; ret 4_2_03087A69
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E282E55 push esi; ret 4_2_6E282E5E

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,1_2_6E1DBE2B
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DBA6F FindFirstFileExW,1_2_6E1DBA6F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose,4_2_6E1DBE2B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DBA6F FindFirstFileExW,4_2_6E1DBA6F
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E1D520E
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B1F7C LoadLibraryA,GetProcAddress,1_2_6E1B1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB429 mov eax, dword ptr fs:[00000030h]1_2_6E1DB429
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB21D mov eax, dword ptr fs:[00000030h]1_2_6E1DB21D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB260 mov eax, dword ptr fs:[00000030h]1_2_6E1DB260
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB2BB mov eax, dword ptr fs:[00000030h]1_2_6E1DB2BB
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB370 mov eax, dword ptr fs:[00000030h]1_2_6E1DB370
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB3B4 mov eax, dword ptr fs:[00000030h]1_2_6E1DB3B4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB3F8 mov eax, dword ptr fs:[00000030h]1_2_6E1DB3F8
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1CB0D0 mov eax, dword ptr fs:[00000030h]1_2_6E1CB0D0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1CB112 mov ecx, dword ptr fs:[00000030h]1_2_6E1CB112
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DB1DA mov eax, dword ptr fs:[00000030h]1_2_6E1DB1DA
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E280A6A mov eax, dword ptr fs:[00000030h]1_2_6E280A6A
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E2809A0 mov eax, dword ptr fs:[00000030h]1_2_6E2809A0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E2805A7 push dword ptr fs:[00000030h]1_2_6E2805A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB429 mov eax, dword ptr fs:[00000030h]4_2_6E1DB429
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB21D mov eax, dword ptr fs:[00000030h]4_2_6E1DB21D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB260 mov eax, dword ptr fs:[00000030h]4_2_6E1DB260
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB2BB mov eax, dword ptr fs:[00000030h]4_2_6E1DB2BB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB370 mov eax, dword ptr fs:[00000030h]4_2_6E1DB370
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB3B4 mov eax, dword ptr fs:[00000030h]4_2_6E1DB3B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB3F8 mov eax, dword ptr fs:[00000030h]4_2_6E1DB3F8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1CB0D0 mov eax, dword ptr fs:[00000030h]4_2_6E1CB0D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1DB1DA mov eax, dword ptr fs:[00000030h]4_2_6E1DB1DA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E280A6A mov eax, dword ptr fs:[00000030h]4_2_6E280A6A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2809A0 mov eax, dword ptr fs:[00000030h]4_2_6E2809A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2805A7 push dword ptr fs:[00000030h]4_2_6E2805A7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1DED89 GetProcessHeap,1_2_6E1DED89
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E1D520E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6E1D520E
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03084454 cpuid 4_2_03084454
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,1_2_6E1B1E8A
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1DDE5B
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1DDE84
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1E4C9D
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1E4D06
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1DDD84
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,1_2_6E1E4DA1
            Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_6E1E49FB
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,1_2_6E1DE7A7
            Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_6E1E537A
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_6E1E51A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E1DE7A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1E4C9D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1E4D06
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1DDD84
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E1E4DA1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6E1E537A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6E1E51A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6E1E49FB
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_6E1B1144
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03084454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,4_2_03084454
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6E1B1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_6E1B1F10
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information: