Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2e.dll

Overview

General Information

Sample Name:2e.dll
Analysis ID:498882
MD5:92a0f1023e064a46fbf2e6bb697edf55
SHA1:d2d28a35de82e8161266355a351a1e5822d49303
SHA256:2e012edb93bb99de397b629cdc44d7516f9e6f47cd7106c93d2d6fd66a37af87
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Tries to load missing DLLs
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 796 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2e.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5236 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4872 cmdline: rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6632 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5044 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3684 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5716 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.e00000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.2.rundll32.exe.30e0000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.e00000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.2.rundll32.exe.2f90000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    2.2.rundll32.exe.10000000.3.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: 2e.dllAvira: detected
                      Found malware configurationShow sources
                      Source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "aHj/FBAOlIGEKeY7hJtySGbhiJ+OuJag0uZwD+z98lrXzI6cghioivt/zNqE6myavQkK1TvPguLqYjDl5wY423TG5cujR5I12+riFLmXU6yLpvCwEpgEflmuQBdLI5UmZ7PM966PLmgcotslJ9y1/jYsiD2WoJkIZSAKBnncJmMF7h9eqsKMXazDFT0yQ2hN", "c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "1100", "server": "730", "serpent_key": "R13xH4JuHdOWL6Sg", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "dga_base_url": "constitution.org/usdeclar.txt", "dga_tld": "com ru org", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 2e.dllVirustotal: Detection: 65%Perma Link
                      Source: 2e.dllMetadefender: Detection: 40%Perma Link
                      Source: 2e.dllReversingLabs: Detection: 82%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: api10.laptok.atVirustotal: Detection: 14%Perma Link
                      Source: 2.2.rundll32.exe.30e0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.e00000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 2.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 2e.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00FA7DD8

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49792 -> 87.106.18.141:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49792 -> 87.106.18.141:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49824 -> 87.106.18.141:80
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewIP Address: 87.106.18.141 87.106.18.141
                      Source: Joe Sandbox ViewIP Address: 87.106.18.141 87.106.18.141
                      Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x97bbf46c,0x01d7bb86</date><accdate>0x97bbf46c,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                      Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                      Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x97c31b95,0x01d7bb86</date><accdate>0x97c31b95,0x01d7bb86</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                      Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmpString found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1P
                      Source: {DD28BAED-2779-11EC-90EB-ECF4BBEA1588}.dat.21.dr, ~DFB9EDA9C4DE41A518.TMP.21.drString found in binary or memory: http://api10.laptok.at/api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5a
                      Source: {C2243AEB-2779-11EC-90EB-ECF4BBEA1588}.dat.15.drString found in binary or memory: http://api10.laptok.at/api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tX
                      Source: 2e.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: 2e.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: 2e.dllString found in binary or memory: http://ocsp.sectigo.com0
                      Source: msapplication.xml.15.drString found in binary or memory: http://www.amazon.com/
                      Source: msapplication.xml1.15.drString found in binary or memory: http://www.google.com/
                      Source: msapplication.xml2.15.drString found in binary or memory: http://www.live.com/
                      Source: msapplication.xml3.15.drString found in binary or memory: http://www.nytimes.com/
                      Source: msapplication.xml4.15.drString found in binary or memory: http://www.reddit.com/
                      Source: msapplication.xml5.15.drString found in binary or memory: http://www.twitter.com/
                      Source: msapplication.xml6.15.drString found in binary or memory: http://www.wikipedia.com/
                      Source: msapplication.xml7.15.drString found in binary or memory: http://www.youtube.com/
                      Source: 2e.dllString found in binary or memory: https://sectigo.com/CPS0D
                      Source: unknownDNS traffic detected: queries for: api10.laptok.at
                      Source: global trafficHTTP traffic detected: GET /api1/DGBXE3uXrLTWiBjVyk/VC7Ta4hFF/xsAyuQ20ayjuhLgkiSkm/m3K_2FmdKtkRCW_2B7u/tXHmCyMHbP9slqB1L8zpaC/nfhvJ6s58irru/pNJBMQ_2/B9Q8wSf7euVWpy0kLFFtWzz/vAwDCO_2Fo/3v4FyeGSRuSjMupWH/_2BEQ6znA7PT/8caxgyO1tr2/cTDPOBy_2FHAvv/tgKZ2JSY8uZo5PCTnq6VX/_2F2Vff20_2Fr9ux/TFmLX_2BIHd1Zmp/Jqw_2BLpi2pH8Zi61P/xEqI3ryES/n6BjkuL3N3RbBmMCK9xy/loeot0z7U9fUAU78A6C/ywgL0kQB0_2BMve6S_2Flf/2SujN_2Fl/B HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /api1/9cxo6IB1Y7pDV3pIFs/pxY2OU074/uQoS3fQTrkAvwEYVEAv9/V9besIl3CRfg1NE1PHO/5acsxz5qxHDpv8YBmMuvj7/KGpLxQcloIDfE/SXYboMNK/ZGVNwVWGfnWgXZ7LibENrAZ/rGu1uarUfj/FSkhkIGZ0I6ED2ThT/iotSrHt6InUD/umvaUlfqIMb/01G4_2FdSHt_2F/JPI5oPhpcVsnT5eUGv8s0/LSKuaJdd_2FAe_2F/vQT2v29m9TEniEM/b63Yg6FSycj4oUXo8F/FUMOEIDKM/JTkYuf9RIKrVWGrferoc/GwDXbtZ7LjM2klfVose/Bk9CRR6n/Lu2z5l HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 2e.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: mspdb140.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021A40_2_100021A4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA40B30_2_00FA40B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAAF440_2_00FAAF44
                      Source: 2e.dllStatic PE information: invalid certificate
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001C22 GetProcAddress,NtCreateSection,memset,0_2_10001C22
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001AD1 NtMapViewOfSection,0_2_10001AD1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001252 GetLastError,NtClose,0_2_10001252
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100023C5 NtQueryVirtualMemory,0_2_100023C5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA7925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00FA7925
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAB169 NtQueryVirtualMemory,0_2_00FAB169
                      Source: 2e.dllVirustotal: Detection: 65%
                      Source: 2e.dllMetadefender: Detection: 40%
                      Source: 2e.dllReversingLabs: Detection: 82%
                      Source: 2e.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FA229C
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2e.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6632 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3684 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C2243AE9-2779-11EC-90EB-ECF4BBEA1588}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF302033FC2C26A542.TMPJump to behavior
                      Source: classification engineClassification label: mal100.troj.winDLL@11/19@2/1
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002193 push ecx; ret 0_2_100021A3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002140 push ecx; ret 0_2_10002149
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAE6BE push esp; retf 0_2_00FAE6BF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAAC00 push ecx; ret 0_2_00FAAC09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAE1AF push ebx; ret 0_2_00FAE1B2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAE163 push edx; iretd 0_2_00FAE164
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FAAF33 push ecx; ret 0_2_00FAAF43
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D5BAD0 push edx; ret 0_2_00D5BBD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D53C54 push eax; iretd 0_2_00D53C4B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D53C32 push eax; iretd 0_2_00D53C4B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D5197F push ds; retf 0_2_00D5198D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D516B6 push ecx; ret 0_2_00D516B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D552B6 push esp; iretd 0_2_00D552D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D55EB0 push 0E0634C7h; retf 0_2_00D55EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D53205 push cs; retf 0_2_00D53206
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D53FFB pushad ; iretd 0_2_00D5400E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D533A6 push ds; ret 0_2_00D533BB
                      Source: 2e.dllStatic PE information: section name: .data2

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f40000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ce94a0.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31494a0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.fa0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.31494a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.4ce94a0.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d60000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1203692566.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901240382.0000000002F90000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203393631.0000000003149000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901405735.00000000030E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901669349.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1202749084.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.900182748.0000000004CE9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1202777990.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA7DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00FA7DD8
                      Source: C:\Windows\System32\loaddll32.exeMemory protected: page execute read | page guardJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2e.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.1203164560.0000000001760000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_10001B13
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA8B98 cpuid 0_2_00FA8B98
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_1000166F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_10001000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00FA8B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00FA8B98

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.803227069.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899624754.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899679328.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803315900.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899458212.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899498607.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899414511.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.901603317.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1203601349.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803348643.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803173940.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803390693.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899563679.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803371540.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899592894.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803277362.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.803130026.0000000003A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.899658912.0000000005768000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 796, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4872, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.30e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.e00000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.2f90000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile