Loading ...

Play interactive tourEdit tour

Windows Analysis Report 945.dll

Overview

General Information

Sample Name:945.dll
Analysis ID:448650
MD5:9453981ab8e71981bea907b3f2d11395
SHA1:ca0f69ef71bf287bdd19a8a9811c1f0dd2ff50e6
SHA256:fa97cd35d76337ff4a523ebdd7f879359a70432a14b7377f06df29c4679b3f70
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5904 cmdline: loaddll32.exe 'C:\Users\user\Desktop\945.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5780 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\945.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5516 cmdline: rundll32.exe 'C:\Users\user\Desktop\945.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5784 cmdline: rundll32.exe C:\Users\user\Desktop\945.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1048 cmdline: rundll32.exe C:\Users\user\Desktop\945.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1112 cmdline: rundll32.exe C:\Users\user\Desktop\945.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1636 cmdline: rundll32.exe C:\Users\user\Desktop\945.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6084 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5208 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 3672 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 14 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000002.00000003.298516419.00000000007A0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 945.dllMetadefender: Detection: 22%Perma Link
            Source: 945.dllReversingLabs: Detection: 58%
            Source: 945.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 945.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.493176321.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.495266949.000000006E234000.00000002.00020000.sdmp, 945.dll

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49731 -> 40.97.116.82:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49749 -> 37.120.222.6:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49749 -> 37.120.222.6:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49752 -> 37.120.222.6:80
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: Joe Sandbox ViewIP Address: 52.97.232.194 52.97.232.194
            Source: global trafficHTTP traffic detected: GET /grower/YjL_2BjDOrQaqruzKZl/J5qQT1PxhAWv_2ByqUpS3r/fw5c6vWOUvogF/fDf6v7zv/NA3IFZsX5L82cDak57at8n5/D4Cfgi7tVz/ry3I5zo4IJ_2BIobC/5nWwD7akwp5A/XzqLAJr21mH/cjfkiJFlq9y77G/1bzeLjs6zco1VtNrrz8EL/tJlbiHzqPNR1Mami/EAf48einPLf/Q.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: ~DF64A2AAB8E5E3DF4B.TMP.19.dr, {7370D523-E4F5-11EB-90E4-ECF4BB862DED}.dat.19.drString found in binary or memory: https://outlook.office365.com/grower/XdjQoGbnNj_2FSimi4F/g1n0hL2Ovi8UAiji8IT8vO/AZ50N9cBD7ouh/W9Stcu
            Source: rundll32.exe, 00000003.00000003.390626600.0000000002D64000.00000004.00000001.sdmp, ~DFEA5774EEA628D538.TMP.19.dr, {7370D521-E4F5-11EB-90E4-ECF4BB862DED}.dat.19.drString found in binary or memory: https://outlook.office365.com/grower/YjL_2BjDOrQaqruzKZl/J5qQT1PxhAWv_2ByqUpS3r/fw5c6vWOUvogF/fDf6v7
            Source: rundll32.exe, 00000003.00000002.490596255.0000000002CFA000.00000004.00000020.sdmpString found in binary or memory: https://www.redtube.com/
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1996 GetProcAddress,NtCreateSection,memset,0_2_6E1F1996
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1A44 NtMapViewOfSection,0_2_6E1F1A44
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F23A5 NtQueryVirtualMemory,0_2_6E1F23A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F21840_2_6E1F2184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2117B00_2_6E2117B0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E224E000_2_6E224E00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E22BE610_2_6E22BE61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220DB80_2_6E220DB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2205E50_2_6E2205E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2288B70_2_6E2288B7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2309C80_2_6E2309C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2117B03_2_6E2117B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E224E003_2_6E224E00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E22BE613_2_6E22BE61
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E220DB83_2_6E220DB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2205E53_2_6E2205E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2288B73_2_6E2288B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2309C83_2_6E2309C8
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E223290 appears 39 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E223290 appears 39 times
            Source: 945.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal80.troj.winDLL@18/7@34/7
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF08C928D5E36F5DDB.TMPJump to behavior
            Source: 945.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Clockcondition
            Source: 945.dllMetadefender: Detection: 22%
            Source: 945.dllReversingLabs: Detection: 58%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\945.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\945.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Clockcondition
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\945.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,Wholegray
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17414 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\945.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,ClockconditionJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,DogwhenJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,SingJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\945.dll,WholegrayJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\945.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6084 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 945.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: 945.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.493176321.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.495266949.000000006E234000.00000002.00020000.sdmp, 945.dll
            Source: 945.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 945.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 945.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 945.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 945.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,0_2_6E1F1BAC
            Source: 945.dllStatic PE information: real checksum: 0x6292a should be: 0x68280
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F2120 push ecx; ret 0_2_6E1F2129
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F2173 push ecx; ret 0_2_6E1F2183
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21DE07 push ecx; ret 0_2_6E21DE1A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2232D5 push ecx; ret 0_2_6E2232E8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E20103D push cs; ret 0_2_6E20103E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E21DE07 push ecx; ret 3_2_6E21DE1A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E203276 push ebx; ret 3_2_6E20328A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E203244 pushad ; ret 3_2_6E203270
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2232D5 push ecx; ret 3_2_6E2232E8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E202AD8 push edx; retf 3_2_6E202AD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20103D push cs; ret 3_2_6E20103E

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E22AFAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E22AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E22AFAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1BAC LoadLibraryA,GetProcAddress,0_2_6E1F1BAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E24E2D8 mov eax, dword ptr fs:[00000030h]0_2_6E24E2D8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E24E207 mov eax, dword ptr fs:[00000030h]0_2_6E24E207
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E24DE0E push dword ptr fs:[00000030h]0_2_6E24DE0E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24E2D8 mov eax, dword ptr fs:[00000030h]3_2_6E24E2D8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24E207 mov eax, dword ptr fs:[00000030h]3_2_6E24E207
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E24DE0E push dword ptr fs:[00000030h]3_2_6E24DE0E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E223484 GetProcessHeap,0_2_6E223484
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E21FEBA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E21FEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E21FEBA
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\945.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.485745292.0000000000F70000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.491399399.0000000002FF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6E22EC14
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E22EE88
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E22EEC8
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E22EF45
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E22EFC8
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6E222C5A
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E222A26
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E22F2E7
            Source: C:\Windows\System32\loaddll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_6E22CB0D
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6E22AB64
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6E22F394
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_6E21E036
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_6E22D10F
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E2229A0
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E22F1BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,3_2_6E22EC14
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,3_2_6E222C5A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_6E22D10F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E22EE88
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6E22EEC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6E22EF45
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_6E22EFC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E222A26
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E22F2E7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,3_2_6E22CB0D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_6E22AB64
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_6E22F394
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,3_2_6E21E036
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E2229A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_6E22F1BD
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6E1F1ADA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E1F1F0E

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.392687998.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391393759.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391313671.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.487967194.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391228461.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391141192.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391066845.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392901039.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392858796.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392613103.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392808909.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392529075.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.391440627.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392768559.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390980633.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.392386685.0000000002ED8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.390863638.0000000004E68000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5904, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5516, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features