Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1c8.dll

Overview

General Information

Sample Name:1c8.dll
Analysis ID:448651
MD5:1c87b3ebc5ddf8f53e585b3cf8f74f47
SHA1:4579705a3e0e8b644fcf30d4c79456b0e4f669b8
SHA256:f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6956 cmdline: loaddll32.exe 'C:\Users\user\Desktop\1c8.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6964 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6988 cmdline: rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6972 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7048 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7096 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5828 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2284 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6980 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000003.766216360.00000000010C0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 1c8.dllMetadefender: Detection: 22%Perma Link
            Source: 1c8.dllReversingLabs: Detection: 60%
            Source: 1c8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 1c8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.920236216.000000006D414000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.922133756.000000006D414000.00000002.00020000.sdmp, 1c8.dll

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49741 -> 40.97.128.194:80
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: Joe Sandbox ViewIP Address: 52.97.232.194 52.97.232.194
            Source: global trafficHTTP traffic detected: GET /grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: ~DF547E5E23E7DFF857.TMP.12.dr, {0A0F511C-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://outlook.office365.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/t
            Source: ~DF4099CF7A12250C28.TMP.12.dr, {0A0F511E-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://outlook.office365.com/grower/iSa3U_2FCrZy/TdWTQggM2F_/2F4Qd7iLvOzuNw/Q11HFiIe_2BP9wOCf9bSc/9
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1996 GetProcAddress,NtCreateSection,memset,0_2_6D3D1996
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1A44 NtMapViewOfSection,0_2_6D3D1A44
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D23A5 NtQueryVirtualMemory,0_2_6D3D23A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01175A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_01175A27
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117B1A5 NtQueryVirtualMemory,0_2_0117B1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008A5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_008A5A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AB1A5 NtQueryVirtualMemory,3_2_008AB1A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C25A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_04C25A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2B1A5 NtQueryVirtualMemory,6_2_04C2B1A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D21840_2_6D3D2184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117AF800_2_0117AF80
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117888E0_2_0117888E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01173EE10_2_01173EE1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3F17B00_2_6D3F17B0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4005E50_2_6D4005E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D400DB80_2_6D400DB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40BE610_2_6D40BE61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D404E000_2_6D404E00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4109C80_2_6D4109C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4088B70_2_6D4088B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008A888E3_2_008A888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008A3EE13_2_008A3EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AAF803_2_008AAF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3F17B03_2_6D3F17B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4005E53_2_6D4005E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D400DB83_2_6D400DB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D40BE613_2_6D40BE61
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D404E003_2_6D404E00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4109C83_2_6D4109C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4088B73_2_6D4088B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C23EE16_2_04C23EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2888E6_2_04C2888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2AF806_2_04C2AF80
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D403290 appears 39 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D403290 appears 39 times
            Source: C:\Windows\System32\loaddll32.exeSection loaded: sxs.dllJump to behavior
            Source: 1c8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal80.troj.winDLL@18/7@6/4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_0117A65C
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A0F511A-E4AA-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF34CE60BF8360E948.TMPJump to behavior
            Source: 1c8.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
            Source: 1c8.dllMetadefender: Detection: 22%
            Source: 1c8.dllReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1c8.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,ClockconditionJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,DogwhenJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,SingJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,WholegrayJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 1c8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.920236216.000000006D414000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.922133756.000000006D414000.00000002.00020000.sdmp, 1c8.dll
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1BAC LoadLibraryA,GetProcAddress,0_2_6D3D1BAC
            Source: 1c8.dllStatic PE information: real checksum: 0x6292a should be: 0x64320
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D2120 push ecx; ret 0_2_6D3D2129
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D2173 push ecx; ret 0_2_6D3D2183
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117AF6F push ecx; ret 0_2_0117AF7F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117ABC0 push ecx; ret 0_2_0117ABC9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3FDE07 push ecx; ret 0_2_6D3FDE1A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3E103D push cs; ret 0_2_6D3E103E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4032D5 push ecx; ret 0_2_6D4032E8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3E2AD8 push edx; retf 0_2_6D3E2AD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AD23C push eax; retf 3_2_008AD251
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AD1B0 push eax; retf 3_2_008AD251
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AABC0 push ecx; ret 3_2_008AABC9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AD14D push eax; retf 3_2_008AD251
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AAF6F push ecx; ret 3_2_008AAF7F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3FDE07 push ecx; ret 3_2_6D3FDE1A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3E103D push cs; ret 3_2_6D3E103E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4032D5 push ecx; ret 3_2_6D4032E8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2ABC0 push ecx; ret 6_2_04C2ABC9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2AF6F push ecx; ret 6_2_04C2AF7F

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6D40AFAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6D40AFAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1BAC LoadLibraryA,GetProcAddress,0_2_6D3D1BAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D42E2D8 mov eax, dword ptr fs:[00000030h]0_2_6D42E2D8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D42E207 mov eax, dword ptr fs:[00000030h]0_2_6D42E207
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D42DE0E push dword ptr fs:[00000030h]0_2_6D42DE0E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D42E2D8 mov eax, dword ptr fs:[00000030h]3_2_6D42E2D8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D42E207 mov eax, dword ptr fs:[00000030h]3_2_6D42E207
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D42DE0E push dword ptr fs:[00000030h]3_2_6D42DE0E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D403484 GetProcessHeap,0_2_6D403484
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3FFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D3FFEBA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3FFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D3FFEBA
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01179135 cpuid 0_2_01179135
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6D40EC14
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6D402C5A
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6D40EF45
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6D40EFC8
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6D40EEC8
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D40EE88
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,0_2_6D40D10F
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4029A0
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6D40F1BD
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,0_2_6D3FE036
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6D40AB64
            Source: C:\Windows\System32\loaddll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,0_2_6D40CB0D
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6D40F394
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D402A26
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6D40F2E7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,3_2_6D402C5A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,3_2_6D40EC14
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,3_2_6D40D10F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6D40EF45
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_6D40EFC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6D40EEC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D40EE88
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D4029A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_6D40F1BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,3_2_6D3FE036
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_6D40AB64
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,3_2_6D40CB0D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_6D40F394
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D402A26
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6D40F2E7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6D3D1ADA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01179135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_01179135
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6D3D1F0E

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            Remote Access Functionality:

            bar