Loading ...

Play interactive tourEdit tour

Windows Analysis Report 0f.dll

Overview

General Information

Sample Name:0f.dll
Analysis ID:498857
MD5:0f90b21a2cdc35511626509c67c8cbf5
SHA1:1293aa454365b3679afd77b34749ce8e175c997a
SHA256:95dbbfc33223e8e670b4f25d086d65a41d67f0434d3fe37469a7bd23e134f1f6
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5268 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0f.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5160 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4760 cmdline: rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2316 cmdline: rundll32.exe C:\Users\user\Desktop\0f.dll,Start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 2988 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.loaddll32.exe.38f94a0.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              1.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                1.2.loaddll32.exe.f60000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  1.2.loaddll32.exe.38f94a0.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    4.2.rundll32.exe.11f0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 6 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 0f.dllAvira: detected
                      Found malware configurationShow sources
                      Source: 1.2.loaddll32.exe.38f94a0.3.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "YspyHla3Q+Y+mL+jkDMPo0K37HDx3ZQpkC6iMQ9FB0Jvz67qLEuPPd+7itRbk+5jPXxEvcc4HELzBbK+zEpcnk3gfkFepE47XU1UkIqwsz5EFKG4uDfy9jLX4cSD4IKUeWVT2AmhhkhIjXebeVqL2cavKIWzE+O11PlMSJB8CPxu3rcoXlZgOw7DYBYyTHdQlEkgzTqDwlIzW3bdSDtO0jlb1GqIU5jAVZj0nusFmwufXbMRHKThAuzV0SiB8H0jceNWGALcy01VeCV7PJrnPe8wCvy64gODn28q2topDihJ51KGWbMNR5jWjFp/LTmfqJ9+UqlA3XrMm4Ht2D3DJEE72pdtZyqrd+EuqZEvdjw=", "c2_domain": ["app5.folion.xyz", "wer.defone.click", "app10.laptok.at", "apt.feel500.at", "init.in100k.at"], "botnet": "2500", "server": "580", "serpent_key": "lOrlLLFRkSMi2UOq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 0f.dllMetadefender: Detection: 24%Perma Link
                      Source: 0f.dllReversingLabs: Detection: 78%
                      Machine Learning detection for sampleShow sources
                      Source: 0f.dllJoe Sandbox ML: detected
                      Source: 5.2.rundll32.exe.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 1.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,
                      Source: 0f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

                      Networking:

                      barindex
                      Performs DNS queries to domains with low reputationShow sources
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: app5.folion.xyz
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: app5.folion.xyz
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: app5.folion.xyz
                      Source: msapplication.xml0.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9b482054,0x01d7bbce</date><accdate>0x9b482054,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9b4f4795,0x01d7bbce</date><accdate>0x9b4f4795,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.19.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9b566f66,0x01d7bbce</date><accdate>0x9b566f66,0x01d7bbce</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmpString found in binary or memory: http://app5.folion.xyz
                      Source: {C5D724C3-27C1-11EC-90E9-ECF4BB862DED}.dat.19.drString found in binary or memory: http://app5.folion.xyz/C6VmqHmn62rFCww6y4ysR/P0nI5lbrE_2FoyZm/BDBmvveWjO3LK9Q/55XxQq6CmCPdNvBaEz/m5n
                      Source: msapplication.xml.19.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.19.drString found in binary or memory: http://www.google.com/
                      Source: msapplication.xml2.19.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.19.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.19.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.19.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.19.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.19.drString found in binary or memory: http://www.youtube.com/
                      Source: unknownDNS traffic detected: queries for: app5.folion.xyz

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000001.00000002.810736280.000000000119B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F935A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 0f.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F96609
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F97FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01377FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01376609
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF9305
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF3F1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF3AAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF33AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFBDAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFB4AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA6BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF59E4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA4FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF1BF7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF7FF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF21C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA3DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF75DC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2E21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF810A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFC217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF204B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2F59
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF1458
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AFA257
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF1556
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10002264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001B89 NtMapViewOfSection,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100018D1 GetProcAddress,NtCreateSection,memset,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002485 NtQueryVirtualMemory,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F93CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F981CD NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01373CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_013781CD NtQueryVirtualMemory,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_10002485 NtQueryVirtualMemory,
                      Source: 0f.dllMetadefender: Detection: 24%
                      Source: 0f.dllReversingLabs: Detection: 78%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F919E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0f.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0f.dll,Start
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2988 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCB4F6EF3903B6C34.TMPJump to behavior
                      Source: classification engineClassification label: mal96.troj.winDLL@10/19@3/0
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push ebp; mov dword ptr [esp], FFFF0000h
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push esi; mov dword ptr [esp], 000FFFFFh
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E9810A push 00000000h; mov dword ptr [esp], esi
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E95B06 push 00000000h; mov dword ptr [esp], ebp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E95B06 push edi; mov dword ptr [esp], 00000003h
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_02E95B06 push ebx; mov dword ptr [esp], 00F00000h
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002200 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002253 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A2D8 pushad ; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A2D4 pushad ; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A294 pushad ; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9B67C push ss; retf
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F97C20 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F97F97 push ecx; ret
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9A169 pushad ; iretd
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F9B163 push edx; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05155B06 push 00000000h; mov dword ptr [esp], ebp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05155B06 push edi; mov dword ptr [esp], 00000003h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05155B06 push ebx; mov dword ptr [esp], 00F00000h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push ebp; mov dword ptr [esp], FFFF0000h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], eax
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push dword ptr [ebp-04h]; mov dword ptr [esp], esp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push esi; mov dword ptr [esp], 000FFFFFh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0515810A push 00000000h; mov dword ptr [esp], esi
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0137B163 push edx; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01377F97 push ecx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01377C20 push ecx; ret
                      Source: 0f.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001F31 LoadLibraryA,GetProcAddress,

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F94E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01374E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04AF2D03 xor edx, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001F31 LoadLibraryA,GetProcAddress,
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0f.dll',#1
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.812552888.0000000001620000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.812702968.00000000033A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F93946 cpuid
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_1000146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100017A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00F93946 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.739535676.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739521647.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739458564.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739502896.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739363916.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813265596.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739321134.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739404580.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.739481698.00000000040A8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.38f94a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.11f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.1370000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.5bb94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000003.706311406.0000000005BB9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.706735766.00000000011F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.809626071.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.813125689.00000000038F9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.810063319.0000000000F60000.00000004.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery34VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 498857 Sample: 0f.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 96 23 Found malware configuration 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 3 other signatures 2->29 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 83 2->10         started        process3 signatures4 31 Writes or reads registry keys via WMI 7->31 33 Writes registry values via WMI 7->33 12 cmd.exe 1 7->12         started        14 rundll32.exe 7->14         started        16 iexplore.exe 32 10->16         started        process5 dnsIp6 19 rundll32.exe 12->19         started        21 app5.folion.xyz 16->21 process7

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.