Loading ...

Play interactive tourEdit tour

Windows Analysis Report fiHY95Y1CZ.exe

Overview

General Information

Sample Name:fiHY95Y1CZ.exe (renamed file extension from exe to dll)
Analysis ID:540821
MD5:3b7d8109b37e996e06ae68144f37a73c
SHA1:9ee1957c39834e9ea87cd72d7f09e9f08e1712d3
SHA256:53f09461a48f10c95f426cd179106cbe94fba81c498fb7414d6a849470ee777e
Tags:exegeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Registers a DLL
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6620 cmdline: loaddll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6664 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6712 cmdline: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6700 cmdline: regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 19 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Call by OrdinalShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6664, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1, ProcessId: 6712

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000001.00000002.776128784.0000000000710000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: fiHY95Y1CZ.dllVirustotal: Detection: 23%Perma Link
            Source: fiHY95Y1CZ.dllReversingLabs: Detection: 37%
            Antivirus detection for URL or domainShow sources
            Source: https://berukoneru.website:4434Avira URL Cloud: Label: malware
            Source: https://berukoneru.website:443Avira URL Cloud: Label: malware
            Source: https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZFAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/Avira URL Cloud: Label: malware
            Source: https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mTAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/nAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvUAvira URL Cloud: Label: malware
            Source: https://berukoneru.website/_Avira URL Cloud: Label: malware
            Source: https://berukoneru.website/fAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: berukoneru.websiteVirustotal: Detection: 9%Perma Link
            Source: gerukoneru.websiteVirustotal: Detection: 8%Perma Link
            Source: fortunarah.comVirustotal: Detection: 9%Perma Link
            Machine Learning detection for sampleShow sources
            Source: fiHY95Y1CZ.dllJoe Sandbox ML: detected
            Source: 1.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 4.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 5.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 6.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: fiHY95Y1CZ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

            Networking:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: berukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.20.161.64 187Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: windows.update3.com
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: gerukoneru.website
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: fortunarah.com
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
            Source: unknownNetwork traffic detected: HTTP traffic on port 49890 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
            Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
            Source: unknownNetwork traffic detected: HTTP traffic on port 49889 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49900 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
            Source: unknownNetwork traffic detected: HTTP traffic on port 49929 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49872 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49924 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49918 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49921 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49927 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49856 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49895 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
            Source: unknownNetwork traffic detected: HTTP traffic on port 49865 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49922 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
            Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49916 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49894 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49898
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49897
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
            Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49895
            Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49894
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
            Source: unknownNetwork traffic detected: HTTP traffic on port 49919 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49890
            Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49897 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49851 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49929
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49927
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49924
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49923
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49889
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49922
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49921
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49919
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49918
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49917
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49916
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
            Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49872
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
            Source: unknownNetwork traffic detected: HTTP traffic on port 49917 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
            Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49903
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
            Source: unknownNetwork traffic detected: HTTP traffic on port 49903 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49900
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
            Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.538531416.00000000007FE000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649480266.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352136475.00000000007DD000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.604514487.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.373886664.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729649421.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729820019.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl.globalsign.net/root.crl0
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://ocsp.digicert.com0C
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://ocsp.digicert.com0N
            Source: rundll32.exe, 00000006.00000003.568560207.0000000000833000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.649323077.0000000000833000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/Organization
            Source: fiHY95Y1CZ.dllString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
            Source: rundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
            Source: loaddll32.exe, 00000001.00000003.592813795.0000000000881000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.592855025.0000000000887000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.472113086.0000000000873000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713588601.0000000000859000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.713545660.00000000007FE000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.608955593.0000000005EF9000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.731403472.0000000005EFC000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.352117976.000000000082B000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479898288.000000000081C000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload"
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respo
            Source: loaddll32.exe, 00000001.00000003.346748265.0000000000862000.00000004.00000001.sdmp, regsvr32.exe, 00000004.00000003.482058539.0000000005EF9000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.729801829.000000000081E000.00000004.00000001.sdmpString found in binary or memory: https://assets.onestore.ms/cdnfiles/onestorerolling-1605-16000/shell/common/respond-proxy.html
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmp, rundll32.exe, 00000006.00000003.546840107.000000000077E000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
            Source: loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/_
            Source: rundll32.exe, 00000006.00000003.671393257.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/f
            Source: rundll32.exe, 00000006.00000002.777730381.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/n
            Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmpString found in binary or memory: https://berukoneru.website/tire/pwsRZXEKCNadKEKqX1o9/b2Zj7hHedRFWAjDTz7_/2FOi9hvcPIf92jE5HHyv1B/OfZF
            Source: loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/r5QiHxjTySmGYdSO5D/jcUwjLzfU/E7ReP6jBdZthorydDqCp/VP_2FtRTEArd2s1OvU
            Source: rundll32.exe, 00000006.00000002.777335258.0000000000797000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/za2qkobGG8hjnBcNlK5rpy/DM0ZTFZcdObn9/heBYxiqA/288tZtaDdhUDDHi0oDe4mT
            Source: loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:443
            Source: loaddll32.exe, 00000001.00000002.777998802.0000000000887000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website:4434
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://c.s
            Source: rundll32.exe, 00000006.00000003.726928677.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://fortunarah.com/
            Source: rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://fortunarah.com/g
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/
            Source: loaddll32.exe, 00000001.00000003.659059165.0000000000816000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/7
            Source: rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/V
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/_
            Source: rundll32.exe, 00000006.00000003.693315999.00000000007DE000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/f
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/g
            Source: loaddll32.exe, 00000001.00000003.538576666.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/o
            Source: loaddll32.exe, 00000001.00000003.538445534.0000000000857000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/tire/2BC_2BBRBNFJ1PmozxxmKVd/gm6Dkla7K7/8u9w5b_2FXO_2FnQt/BMclQSrzXXf4/Rq
            Source: loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://gerukoneru.website/tire/xpW7gpb7TrkZ/x1HHPi7fp9L/0D56sMwSf_2Bjl/6GWFUIy7ar_2FfABNgnCj/82C0Hf
            Source: loaddll32.exe, 00000001.00000003.713526931.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.658945899.00000000007EA000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000002.777190196.00000000007EA000.00000004.00000020.sdmpString found in binary or memory: https://gerukoneru.website:443
            Source: rundll32.exe, 00000006.00000003.729501485.000000000077D000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.777239624.000000000077E000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax"
            Source: rundll32.exe, 00000005.00000003.729665174.0000000004B61000.00000004.00000040.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636"
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://nodejs.org0
            Source: rundll32.exe, 00000006.00000003.352095689.0000000005211000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
            Source: rundll32.exe, 00000006.00000003.524614944.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
            Source: rundll32.exe, 00000006.00000003.441260649.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.397522414.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.479797692.00000000007DA000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.474120676.00000000007DF000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.419365031.00000000007DF000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/2
            Source: loaddll32.exe, 00000001.00000003.391563664.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/Z
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://windows.update3.com/llU
            Source: loaddll32.exe, 00000001.00000003.392575385.000000000085C000.00000004.00000001.sdmp, loaddll32.exe, 00000001.00000003.391598549.000000000083A000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/NBe6wGJmUc0TyUzeyP/5Njlm_2FV/AnUx9J_2FMkoEzFmIRim/7MsjKW4RRjAKub2A8
            Source: loaddll32.exe, 00000001.00000003.658990293.00000000007FE000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/Wt7VtJWXxvCxj/q8Hicv2m/rYOqGahqW2aY_2BSfNZT5kT/9hHx0IzQpe/vlCX_2Bqh
            Source: loaddll32.exe, 00000001.00000002.777414698.00000000007FE000.00000004.00000020.sdmpString found in binary or memory: https://windows.update3.com/tire/e5hjYNeWetXz_2B/Th5RGlAc56d_2FCUbi/NUhZqTgpn/_2FHcnisafGQJWYV9uWj/n
            Source: rundll32.exe, 00000006.00000002.776805911.000000000074A000.00000004.00000020.sdmpString found in binary or memory: https://windows.update3.com/tire/fPNeZGvZ_2FjPtgP/S4ORv62WOG6CqCc/RpObjfG9eDuBR7sVqh/4jcyxlUAH/kr39Z
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://www.digicert.com/CPS0
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://www.globalsign.com/repository/0
            Source: fiHY95Y1CZ.dllString found in binary or memory: https://www.globalsign.com/repository/03
            Source: unknownDNS traffic detected: queries for: windows.update3.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
            Source: loaddll32.exe, 00000001.00000002.776460108.000000000079B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR

            System Summary:

            barindex
            PE file has a writeable .text sectionShow sources
            Source: fiHY95Y1CZ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: fiHY95Y1CZ.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100022441_2_10002244
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007810061_2_00781006
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078B0841_2_0078B084
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_007833731_2_00783373
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078294D1_2_0078294D
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590DF91_2_00590DF9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590DF71_2_00590DF7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346294D4_2_0346294D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_034633734_2_03463373
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346B0844_2_0346B084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E10065_2_006E1006
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EB0845_2_006EB084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E33735_2_006E3373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E294D5_2_006E294D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740DF75_2_00740DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740DF95_2_00740DF9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_005410066_2_00541006
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0054B0846_2_0054B084
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0054294D6_2_0054294D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_005433736_2_00543373
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720DF76_2_00720DF7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720DF96_2_00720DF9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001297 GetProcAddress,NtCreateSection,memset,1_2_10001297
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001E31 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_10001E31
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002058 NtMapViewOfSection,1_2_10002058
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002465 NtQueryVirtualMemory,1_2_10002465
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00786C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00786C06
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078B2A9 NtQueryVirtualMemory,1_2_0078B2A9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590880 NtAllocateVirtualMemory,1_2_00590880
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590ABA NtProtectVirtualMemory,1_2_00590ABA
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 NtAllocateVirtualMemory,1_2_005908B7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_03466C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_03466C06
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346B2A9 NtQueryVirtualMemory,4_2_0346B2A9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006E6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_006E6C06
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EB2A9 NtQueryVirtualMemory,5_2_006EB2A9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 NtAllocateVirtualMemory,5_2_007408B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740ABA NtProtectVirtualMemory,5_2_00740ABA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740880 NtAllocateVirtualMemory,5_2_00740880
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00546C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,6_2_00546C06
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0054B2A9 NtQueryVirtualMemory,6_2_0054B2A9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_007208B7 NtAllocateVirtualMemory,6_2_007208B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720ABA NtProtectVirtualMemory,6_2_00720ABA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00720880 NtAllocateVirtualMemory,6_2_00720880
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenameSymErr.exeT vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenameNsc.exe. vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenamebyInstallHelper.exe. vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllBinary or memory string: OriginalFilenameBgRegister.exe4 vs fiHY95Y1CZ.dll
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: fiHY95Y1CZ.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: fiHY95Y1CZ.dllStatic PE information: invalid certificate
            Source: fiHY95Y1CZ.dllVirustotal: Detection: 23%
            Source: fiHY95Y1CZ.dllReversingLabs: Detection: 37%
            Source: fiHY95Y1CZ.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll"
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServer
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\fiHY95Y1CZ.dll,DllRegisterServerJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winDLL@9/0@91/4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00783309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00783309
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\fiHY95Y1CZ.dll",#1
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: fiHY95Y1CZ.dllStatic file information: File size 1776800 > 1048576
            Source: fiHY95Y1CZ.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002233 push ecx; ret 1_2_10002243
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021E0 push ecx; ret 1_2_100021E9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078B073 push ecx; ret 1_2_0078B083
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078E97E pushad ; iretd 1_2_0078E982
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0078AD40 push ecx; ret 1_2_0078AD49
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590A66 push edx; ret 1_2_00590B11
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005905DF push dword ptr [ebp-00000284h]; ret 1_2_0059087F
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590ECD push 1001C571h; ret 1_2_00590ED4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590BFC push dword ptr [esp+0Ch]; ret 1_2_00590C10
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590BFC push dword ptr [esp+10h]; ret 1_2_00590C56
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005906F5 push dword ptr [ebp-00000284h]; ret 1_2_00590764
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590880 push dword ptr [ebp-00000284h]; ret 1_2_005908B6
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00590ABA push edx; ret 1_2_00590B11
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push dword ptr [ebp-00000284h]; ret 1_2_00590A65
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push dword ptr [ebp-0000028Ch]; ret 1_2_00590AB9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push edx; ret 1_2_00590B11
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_005908B7 push dword ptr [esp+10h]; ret 1_2_00590BFB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346AD40 push ecx; ret 4_2_0346AD49
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346E97E pushad ; iretd 4_2_0346E982
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_0346B073 push ecx; ret 4_2_0346B083
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EB073 push ecx; ret 5_2_006EB083
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EE97E pushad ; iretd 5_2_006EE982
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_006EAD40 push ecx; ret 5_2_006EAD49
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740A66 push edx; ret 5_2_00740B11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007406F5 push dword ptr [ebp-00000284h]; ret 5_2_00740764
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740ECD push 1001C571h; ret 5_2_00740ED4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push dword ptr [ebp-00000284h]; ret 5_2_00740A65
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push dword ptr [ebp-0000028Ch]; ret 5_2_00740AB9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push edx; ret 5_2_00740B11
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_007408B7 push dword ptr [esp+10h]; ret 5_2_00740BFB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00740ABA push edx; ret 5_2_00740B11
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001D26 LoadLibraryA,GetProcAddress,1_2_10001D26
            Source: fiHY95Y1CZ.dllStatic PE information: real checksum: 0x1b3666 should be: 0x1b9826
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\fiHY95Y1CZ.dll

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.414360466.0000000002DFF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.781134724.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.418282417.0000000004BDF000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.346775098.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.370009221.0000000002FFB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.370118981.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.418476955.000000000581F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.397818170.0000000004D1D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.370329481.0000000005A1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.779225699.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.780149501.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.396516562.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.346831969.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.392772677.0000000002EFD000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.376015691.0000000004E1B000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.346931198.0000000005B98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.352281996.0000000004F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.396552270.000000000591D000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.419719832.0000000004C1F000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.780908469.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6620, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 6700, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6712, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6728, type: MEMORYSTR
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX