Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0f.dll

Overview

General Information

Sample Name:0f.dll
Analysis ID:498857
MD5:0f90b21a2cdc35511626509c67c8cbf5
SHA1:1293aa454365b3679afd77b34749ce8e175c997a
SHA256:95dbbfc33223e8e670b4f25d086d65a41d67f0434d3fe37469a7bd23e134f1f6
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5268 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0f.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5160 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4760 cmdline: rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2316 cmdline: rundll32.exe C:\Users\user\Desktop\0f.dll,Start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 2988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.loaddll32.exe.38f94a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                1.2.loaddll32.exe.f60000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  1.2.loaddll32.exe.38f94a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    4.2.rundll32.exe.11f0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 6 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 0f.dllAvira: detected
                      Found malware configurationShow sources
                      Source: 1.2.loaddll32.exe.38f94a0.3.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0f.dllMetadefender: Detection: 24%Perma Link
                      Source: 0f.dllReversingLabs: Detection: 78%
                      Machine Learning detection for sampleShow sources
                      Source: 0f.dllJoe Sandbox ML: detected
                      Source: 5.2.rundll32.exe.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 1.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_00F935A1
                      Source: 0f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00F94E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_01374E9C

                      Networking:

                      barindex
                      Performs DNS queries to domains with low reputationShow sources
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: app5.folion.xyz
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: app5.folion.xyz
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: app5.folion.xyz
                      Source: msapplication.xml0.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmpString found in binary or memory: http://app5.folion.xyz
                      Source: {C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat.19.drString found in binary or memory: http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n
                      Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.19.drString found in binary or memory: http://www.google.com/
                      Source: msapplication.xml2.19.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.19.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.19.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.19.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.19.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.19.drString found in binary or memory: http://www.youtube.com/
                      Source: unknownDNS traffic detected: queries for: app5.folion.xyz

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,1_2_00F935A1

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 0f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A1_2_02E9810A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100022641_2_10002264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F966091_2_00F96609
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F97FA81_2_00F97FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A4_2_0515810A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01377FA84_2_01377FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_013766094_2_01376609
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF93055_2_04AF9305
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF10005_2_04AF1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF3F1C5_2_04AF3F1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF3AAF5_2_04AF3AAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF33AA5_2_04AF33AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFBDAA5_2_04AFBDAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFB4AA5_2_04AFB4AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA6BB5_2_04AFA6BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF59E45_2_04AF59E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA4FC5_2_04AFA4FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF1BF75_2_04AF1BF7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF7FF15_2_04AF7FF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF21C05_2_04AF21C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA3DD5_2_04AFA3DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF75DC5_2_04AF75DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2E215_2_04AF2E21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF810A5_2_04AF810A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2D035_2_04AF2D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFC2175_2_04AFC217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF204B5_2_04AF204B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2F595_2_04AF2F59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF14585_2_04AF1458
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA2575_2_04AFA257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF15565_2_04AF1556
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_100022645_2_10002264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001B89 NtMapViewOfSection,1_2_10001B89
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100018D1 GetProcAddress,NtCreateSection,memset,1_2_100018D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002485 NtQueryVirtualMemory,1_2_10002485
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F93CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00F93CA1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F981CD NtQueryVirtualMemory,1_2_00F981CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01373CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_01373CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_013781CD NtQueryVirtualMemory,4_2_013781CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10002485 NtQueryVirtualMemory,5_2_10002485
                      Source: 0f.dllMetadefender: Detection: 24%
                      Source: 0f.dllReversingLabs: Detection: 78%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F919E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00F919E7
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0f.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,StartJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCB4F6EF3903B6C34.TMPJump to behavior
                      Source: classification engineClassification label: mal96.troj.winDLL@10/19@3/0
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push ebp; mov dword ptr [esp], FFFF0000h1_2_02E98113
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax1_2_02E99137
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx1_2_02E991AC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp1_2_02E991E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push esi; mov dword ptr [esp], 000FFFFFh1_2_02E99204
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push 00000000h; mov dword ptr [esp], esi1_2_02E99293
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E95B06 push 00000000h; mov dword ptr [esp], ebp1_2_02E95B45
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E95B06 push edi; mov dword ptr [esp], 00000003h1_2_02E95B69
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E95B06 push ebx; mov dword ptr [esp], 00F00000h1_2_02E95B72
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002200 push ecx; ret 1_2_10002209
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002253 push ecx; ret 1_2_10002263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A2D8 pushad ; iretd 1_2_00F9A2D9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A2D4 pushad ; iretd 1_2_00F9A2D9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A294 pushad ; iretd 1_2_00F9A2D9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9B67C push ss; retf 1_2_00F9B690
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F97C20 push ecx; ret 1_2_00F97C29
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F97F97 push ecx; ret 1_2_00F97FA7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A169 pushad ; iretd 1_2_00F9A2D9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9B163 push edx; iretd 1_2_00F9B164
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05155B06 push 00000000h; mov dword ptr [esp], ebp4_2_05155B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05155B06 push edi; mov dword ptr [esp], 00000003h4_2_05155B69
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05155B06 push ebx; mov dword ptr [esp], 00F00000h4_2_05155B72
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push ebp; mov dword ptr [esp], FFFF0000h4_2_05158113
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax4_2_05159137
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx4_2_051591AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp4_2_051591E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push esi; mov dword ptr [esp], 000FFFFFh4_2_05159204
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push 00000000h; mov dword ptr [esp], esi4_2_05159293
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0137B163 push edx; iretd 4_2_0137B164
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01377F97 push ecx; ret 4_2_01377FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01377C20 push ecx; ret 4_2_01377C29
                      Source: 0f.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001F31 LoadLibraryA,GetProcAddress,1_2_10001F31

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00F94E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_01374E9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2D03 xor edx, dword ptr fs:[00000030h]5_2_04AF2D03
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001F31 LoadLibraryA,GetProcAddress,1_2_10001F31
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,1_2_10001566
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,5_2_10001566
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F93946 cpuid 1_2_00F93946
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_1000146C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100017A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_100017A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F93946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_00F93946

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery34VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 498857 Sample: 0f.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 96 23 Found malware configuration 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 3 other signatures 2->29 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 83 2->10         started        process3 signatures4 31 Writes or reads registry keys via WMI 7->31 33 Writes registry values via WMI 7->33 12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        16 iexplore.exe 32 10->16         started        process5 dnsIp6 19 rundll32.exe 12->19         started        21 app5.folion.xyz 16->21 process7

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.