Loading ...

Play interactive tourEdit tour

Windows Analysis Report 50.dll

Overview

General Information

Sample Name:50.dll
Analysis ID:498828
MD5:03a4adf216161aceabaf8b9cbde58308
SHA1:5b37a2bdc58279f1f1e31038fff1f859eec76cf6
SHA256:e0e9821e1c172ee90b6ea27d96a0e9053269fb48bcbe7ec4fb42e048da9f4e8a
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5416 cmdline: loaddll32.exe 'C:\Users\user\Desktop\50.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4604 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\50.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 3148 cmdline: rundll32.exe 'C:\Users\user\Desktop\50.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3348 cmdline: rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5364 cmdline: rundll32.exe C:\Users\user\Desktop\50.dll,@DllUnregisterServer@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3324 cmdline: rundll32.exe C:\Users\user\Desktop\50.dll,@Properwhat@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 7056 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3644 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7056 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6992 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2332 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3892 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4676 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3892 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5580 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6336 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6888 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6004 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6888 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "spMgSJlMsbtyYJa7J98r3sDVnAauyYqUMJmfcOwftrNnR0Q/C00j0nLxLEQJJp6q/6NEKbKUj0/JgWKRbzzHEB4F6RQgzHtMFW3wSImU2nYZ9tLVzVwdEUFZI5FukXQ3NiY2htJmxqUn2twjM931KOxXZ4RzDvIB/4hTvpsWTDF+n4G7YGtk1nZlke9r+CWY", "c2_domain": ["golang.feel500.at/api1", "api10.laptok.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "wyzQ2rMFkB7aXutb", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.13a0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.rundll32.exe.2590000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                6.3.rundll32.exe.51b94a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  3.3.rundll32.exe.44c94a0.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.3.rundll32.exe.4eb94a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 10 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000002.00000003.438939815.0000000003060000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "spMgSJlMsbtyYJa7J98r3sDVnAauyYqUMJmfcOwftrNnR0Q/C00j0nLxLEQJJp6q/6NEKbKUj0/JgWKRbzzHEB4F6RQgzHtMFW3wSImU2nYZ9tLVzVwdEUFZI5FukXQ3NiY2htJmxqUn2twjM931KOxXZ4RzDvIB/4hTvpsWTDF+n4G7YGtk1nZlke9r+CWY", "c2_domain": ["golang.feel500.at/api1", "api10.laptok.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "wyzQ2rMFkB7aXutb", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 50.dllVirustotal: Detection: 60%Perma Link
                      Source: 50.dllMetadefender: Detection: 27%Perma Link
                      Source: 50.dllReversingLabs: Detection: 71%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 50.dllAvira: detected
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: api10.laptok.atVirustotal: Detection: 14%Perma Link
                      Source: golang.feel500.atVirustotal: Detection: 11%Perma Link
                      Source: 50.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: 50.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\colorEarth\energySend\RiseRide\SisterFlower\waveBear\Product.pdb source: loaddll32.exe, 00000000.00000002.805046595.000000006E9F5000.00000002.00020000.sdmp, 50.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259A282 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0259A282

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 87.106.18.141:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 87.106.18.141:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49795 -> 87.106.18.141:80
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewIP Address: 87.106.18.141 87.106.18.141
                      Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0ec88392,0x01d7bbc9</date><accdate>0x0ec88392,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0ec88392,0x01d7bbc9</date><accdate>0x0ec88392,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0ed20c0d,0x01d7bbc9</date><accdate>0x0ed20c0d,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0ed20c0d,0x01d7bbc9</date><accdate>0x0ed20c0d,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0ed932f5,0x01d7bbc9</date><accdate>0x0ed932f5,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0ed932f5,0x01d7bbc9</date><accdate>0x0ed932f5,0x01d7bbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmpString found in binary or memory: http://api10.laptok.at/api1/9RmUtQcDZhfIk1c/nHzONe5_2BBvJ2yBiQ/7EpiCVM7W/f4E0uY3D227v2RDuExxP/z
                      Source: {654BE4AB-27BC-11EC-90E9-ECF4BB862DED}.dat.36.drString found in binary or memory: http://api10.laptok.at/api1/9RmUtQcDZhfIk1c/nHzONe5_2BBvJ2yBiQ/7EpiCVM7W/f4E0uY3D227v2RDuExxP/zjYG_2
                      Source: loaddll32.exe, 00000000.00000002.803654054.0000000001BB0000.00000002.00020000.sdmpString found in binary or memory: http://api10.laptok.at/api1/Jq38ICaRqPy/g8cT5EDuzQRTfd/bDaQidhBmNREYWZABcNxO/6xll5SLapn_2FusJ/i
                      Source: {60EB5440-27BC-11EC-90E9-ECF4BB862DED}.dat.34.drString found in binary or memory: http://api10.laptok.at/api1/Jq38ICaRqPy/g8cT5EDuzQRTfd/bDaQidhBmNREYWZABcNxO/6xll5SLapn_2FusJ/iHdi_2
                      Source: {391FBB83-27BC-11EC-90E9-ECF4BB862DED}.dat.15.dr, ~DF724E8AB2918CB9FB.TMP.15.drString found in binary or memory: http://golang.feel500.at/api1/NRk_2FVJ/wA96x_2FCs_2BXPQBfDRJnC/8ZaJOikUxp/tNUL_2F9bDwQb7Nw0/4hAwTXCC
                      Source: {531DF9CC-27BC-11EC-90E9-ECF4BB862DED}.dat.27.dr, ~DF614A578B8A0039D2.TMP.27.drString found in binary or memory: http://golang.feel500.at/api1/QKqJb_2FIetnA30Lrh/D_2BUq5Xp/A5g0RhnO33fAZ8QR_2BE/MeaF1_2BnZPZU9RqKt3/
                      Source: ~DF9E71909E92B794F9.TMP.32.dr, {57B5605E-27BC-11EC-90E9-ECF4BB862DED}.dat.32.drString found in binary or memory: http://golang.feel500.at/api1/YLF22kb3qppYj0qV_2FrBA/gmsmY04uRW1XV/l2QyGLGA/GtEQ6XjZAWGXWxCNpGcTaDx/
                      Source: msapplication.xml.15.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.15.drString found in binary or memory: http://www.google.com/
                      Source: msapplication.xml2.15.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.15.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.15.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.15.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.15.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.15.drString found in binary or memory: http://www.youtube.com/
                      Source: unknownDNS traffic detected: queries for: golang.feel500.at
                      Source: global trafficHTTP traffic detected: GET /api1/Jq38ICaRqPy/g8cT5EDuzQRTfd/bDaQidhBmNREYWZABcNxO/6xll5SLapn_2FusJ/iHdi_2FbiOmTGGb/BXo7JAZFG1eu_2FtyI/cNFtxMNBR/zYGeZfeXbEOB1SyQFsvB/rB0Q_2FZQZ0YZi_2FRO/tidnHoD06Cgh_2FRad0Stl/qK8jV1z_2FTo2/PBtT0ki_/2BubNruXDtYtZ2wLQ_2BEya/1EtRRJfeUI/5CMi0T2vwqXTEyNz1/lyOJ_2BtNXg9/d_2B7LGgvGV/55GaKjfY_2FDfj/svm_0A_0DtNmhHj6ls2X4/2lW3OzRcv2PkceFw/VNJ6ep7w_2FRmj_2FWh4Js/N HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /api1/9RmUtQcDZhfIk1c/nHzONe5_2BBvJ2yBiQ/7EpiCVM7W/f4E0uY3D227v2RDuExxP/zjYG_2FjR1JK0Cdmuq7/JUrUMl2hsVJQOhQQrJjdjI/lE7jBPvrlvBD9/Eqgu2Y0S/_2FHxIBiKM99DvrRblH0nvV/kCN2W88lpy/lXYy2rxZX1fnU6LEk/1F2dsOnkIM4n/gevEdeTc_2F/PmNNaIgvx9qczG/o0sHDdRiEaK9_2F3dDlYN/KN8GHFQNDyxdo2UR/PPq4SUNELaWLIO_/0A_0DzqmFbCxXnCfo4/INkWBFYtG/ncFEw74zm9E4h83K_2FU/jx5qA20TXkJiA0KWOxZ/VG0Riowa/X HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.802215497.00000000015CB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 50.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B22A40_2_6E9B22A4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9DCF870_2_6E9DCF87
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E4DF90_2_6E9E4DF9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9F1D790_2_6E9F1D79
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9F3AC20_2_6E9F3AC2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9EABE90_2_6E9EABE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E23080_2_6E9E2308
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259AEE43_2_0259AEE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_025954943_2_02595494
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E9E4810 appears 41 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B1880 NtMapViewOfSection,0_2_6E9B1880
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B15AB GetLastError,NtClose,0_2_6E9B15AB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B1CEF GetProcAddress,NtCreateSection,memset,0_2_6E9B1CEF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B24C5 NtQueryVirtualMemory,0_2_6E9B24C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259963C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_0259963C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259B105 NtQueryVirtualMemory,3_2_0259B105
                      Source: 50.dllBinary or memory string: OriginalFilenameProduct.dllF vs 50.dll
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: mspdb140.dllJump to behavior
                      Source: 50.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 50.dllVirustotal: Detection: 60%
                      Source: 50.dllMetadefender: Detection: 27%
                      Source: 50.dllReversingLabs: Detection: 71%
                      Source: 50.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\50.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\50.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\50.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllUnregisterServer@0
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@Properwhat@8
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7056 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3892 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6888 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\50.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllUnregisterServer@0Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@Properwhat@8Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\50.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7056 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6992 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3892 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5580 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6888 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB26ED506A2ACFD75.TMPJump to behavior
                      Source: classification engineClassification label: mal100.troj.winDLL@26/49@11/1
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259846C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_0259846C
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\50.dll,@DllRegisterServer@0
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 50.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 50.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\colorEarth\energySend\RiseRide\SisterFlower\waveBear\Product.pdb source: loaddll32.exe, 00000000.00000002.805046595.000000006E9F5000.00000002.00020000.sdmp, 50.dll
                      Source: 50.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 50.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 50.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 50.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 50.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B2293 push ecx; ret 0_2_6E9B22A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9B2240 push ecx; ret 0_2_6E9B2249
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C444B push ebp; iretd 0_2_6E9C4450
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C1582 push edx; retf 0_2_6E9C15C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C2213 push esp; ret 0_2_6E9C221B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9C3B79 push esp; iretd 0_2_6E9C3BAC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E4855 push ecx; ret 0_2_6E9E4868
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9E015B push ecx; ret 0_2_6E9E016E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259AED3 push ecx; ret 3_2_0259AEE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0259ABA0 push ecx; ret 3_2_0259ABA9
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.87960232272

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.479416380.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479376627.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.804482994.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.495439556.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496320513.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479510909.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479453127.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496294032.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496277018.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.495483618.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496244695.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479614184.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479576032.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496057082.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479548431.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.479596189.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.622172269.0000000004CD8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.496215226.0000000003F08000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5416, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3148, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.13a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2590000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.51b94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.44c94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4eb94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.44b94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.51b94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.44b94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4eb94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.44c94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.33594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.3510000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.33594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.621232674.00000000044C9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.478390389.0000000004EB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.804033989.0000000003359000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.492977892.00000000044B9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.503835282.00000000051B9000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior