Loading ...

Play interactive tourEdit tour

Analysis Report KcFVz0y2si.dll

Overview

General Information

Sample Name:KcFVz0y2si.dll
Analysis ID:382183
MD5:a1e2a0759924852c160b109f73ffd091
SHA1:7ebf1673c6661cfddfa4891c6e455111ce331333
SHA256:657455d2129ca06ee85cb534186d7d80b648e10f7f9e50f43cc5f56fbc7d154c
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4200 cmdline: loaddll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2936 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 408 cmdline: rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1852 cmdline: rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5740 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1260 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5740 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2212 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4592 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5348 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1076 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2440 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1076 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              3.2.rundll32.exe.1d0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.1180000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  2.2.rundll32.exe.11d0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    0.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.loaddll32.exe.37794a0.3.raw.unpackMalware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: KcFVz0y2si.dllVirustotal: Detection: 52%Perma Link
                      Source: KcFVz0y2si.dllReversingLabs: Detection: 52%
                      Machine Learning detection for sampleShow sources
                      Source: KcFVz0y2si.dllJoe Sandbox ML: detected
                      Source: 3.2.rundll32.exe.a60000.3.unpackAvira: Label: TR/Crypt.XPACK.Gen3
                      Source: 0.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 3.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: KcFVz0y2si.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FA12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02FA12D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: global trafficTCP traffic: 192.168.2.4:49739 -> 185.243.114.196:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.7.drString found in binary or memory: http://feross.org
                      Source: loaddll32.exe, 00000000.00000002.913202571.00000000013DF000.00000004.00000020.sdmpString found in binary or memory: http://under17.com
                      Source: loaddll32.exe, 00000000.00000002.913123294.000000000135B000.00000004.00000020.sdmp, ~DF3D1717B6AEE1212D.TMP.8.dr, {D2E72914-964E-11EB-90EB-ECF4BBEA1588}.dat.8.drString found in binary or memory: http://under17.com/joomla/RnasiUAhJh/oSxo5X5EIKvwU8Ag1/uMFl7HC_2Fjl/9ltc89lzleE/s0K70MqQow8SbX/RmoUq
                      Source: ~DFD254BC66F83ED0AF.TMP.11.dr, {E0E69389-964E-11EB-90EB-ECF4BBEA1588}.dat.11.drString found in binary or memory: http://under17.com/joomla/lIbeNmys4TdjSx_2FdVt/zKr90P9Hk_2BiF_2Ff8/DQfv4eLCQELbftpFrLH4_2/BewGR13P5J
                      Source: {B87D9162-964E-11EB-90EB-ECF4BBEA1588}.dat.6.dr, ~DFB4B54F0F959EF8BA.TMP.6.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/globalisierung-ohne-die-weltwirtschaft-w
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronavirus/die-neusten-entwicklungen-coronavirus-weltweit-ab-
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/zweiter-weltkrieg-in-griechenland-die-zweite-sch
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/konflikt-mit-russland-borrell-sichert-ukraine-unterst
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/wie-die-allianz-draghi-macron-europa-ver
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/querdenken-in-stuttgart-es-geht-um-selbsterm
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/admirale-begehren-auf-gegen-das-verr
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/bei-gebet-zum-ostermontag-papst-franziskus-erinnert-an-menschen
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/eine-stadt-feiert-ihre-vergessenen-heldinnen/ar-BB1fkih4?ocid=B
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/eine-woche-lockdown-in-bangladesch-h
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/gaga-regel-trotz-fallzahl-sinkflug-warum-steht-israel-immer-noc
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/grossbritannien-boris-johnson-will-am-12-april-erstes-bier-im-b
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/inzidenz-vor-allem-in-istanbul-hoch-erneut-mehr-als-40-000-coro
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/miss-burma-stellt-die-junta-an-den-pranger/ar-BB1fk4ie?ocid=Bin
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/nawalny-gesundheitszustand-im-straflager-weiter-verschlechtert/
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/pappa-rechtfertigt-polizeieins
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/russland-putin-erlaubt-sich-selbst-das-weiterregieren-bis-2036/
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/sind-die-500-wegweisungen-rechtlich-vertretbar/ar-BB1fkglv?ocid
                      Source: msnpopularnow[1].json.7.drString found in binary or memory: https://www.msn.com/de-ch/news/other/vjosa-osmani-neue-staatspr

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.11d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4200, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 408, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.913123294.000000000135B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.11d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4200, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 408, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001D9F NtMapViewOfSection,0_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,0_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10002375 NtQueryVirtualMemory,0_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FA83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_02FA83B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FAB341 NtQueryVirtualMemory,0_2_02FAB341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF348F0_2_02EF348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE0_2_02EF20EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF52EC0_2_02EF52EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF28EB0_2_02EF28EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF5AF60_2_02EF5AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF3BDB0_2_02EF3BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF3FA80_2_02EF3FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF3A850_2_02EF3A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF1B950_2_02EF1B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF596E0_2_02EF596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF237B0_2_02EF237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF247B0_2_02EF247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF5C760_2_02EF5C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF13740_2_02EF1374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF554B0_2_02EF554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF48590_2_02EF4859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF64240_2_02EF6424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF10000_2_02EF1000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF19180_2_02EF1918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF33140_2_02EF3314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100021540_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FA40940_2_02FA4094
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FA97F20_2_02FA97F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FAB11C0_2_02FAB11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D348F2_2_049D348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D1B952_2_049D1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D3A852_2_049D3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D3FA82_2_049D3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D3BDB2_2_049D3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D5AF62_2_049D5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D52EC2_2_049D52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D20EE2_2_049D20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D28EB2_2_049D28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D19182_2_049D1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D33142_2_049D3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D10002_2_049D1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D64242_2_049D6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D48592_2_049D4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D554B2_2_049D554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D237B2_2_049D237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D247B2_2_049D247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D13742_2_049D1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D5C762_2_049D5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D596E2_2_049D596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A6348F3_2_00A6348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A63FA83_2_00A63FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A63A853_2_00A63A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A61B953_2_00A61B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A620EE3_2_00A620EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A652EC3_2_00A652EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A628EB3_2_00A628EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A65AF63_2_00A65AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A63BDB3_2_00A63BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A664243_2_00A66424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A610003_2_00A61000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A633143_2_00A63314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A619183_2_00A61918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A6596E3_2_00A6596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A65C763_2_00A65C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A613743_2_00A61374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A6237B3_2_00A6237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A6247B3_2_00A6247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A6554B3_2_00A6554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A648593_2_00A64859
                      Source: KcFVz0y2si.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal84.troj.winDLL@18/115@5/1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FA757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_02FA757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B87D9160-964E-11EB-90EB-ECF4BBEA1588}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF3CCEFA9C6D079283.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService
                      Source: KcFVz0y2si.dllVirustotal: Detection: 52%
                      Source: KcFVz0y2si.dllReversingLabs: Detection: 52%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5740 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17414 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1076 CREDAT:17410 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5740 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1076 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: KcFVz0y2si.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_02EF34A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx0_2_02EF3632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF348F push 00000000h; mov dword ptr [esp], edx0_2_02EF37FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF348F push edx; mov dword ptr [esp], 00000002h0_2_02EF384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF348F push 00000000h; mov dword ptr [esp], ecx0_2_02EF38D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6194 push eax; mov dword ptr [esp], 00000004h0_2_02EF61AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6194 push esi; mov dword ptr [esp], 00001000h0_2_02EF61B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6194 push 00000000h; mov dword ptr [esp], ebp0_2_02EF6267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], esi0_2_02EF210B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_02EF2177
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_02EF222E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], eax0_2_02EF2498
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], edi0_2_02EF2502
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], ecx0_2_02EF2524
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx0_2_02EF269D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi0_2_02EF2737
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF20EE push edi; mov dword ptr [esp], 00000004h0_2_02EF2759
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF5AF6 push esi; mov dword ptr [esp], 0000F000h0_2_02EF5C11
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF4DF5 push 00000000h; mov dword ptr [esp], edi0_2_02EF4EA4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF2DF5 push dword ptr [ebp-04h]; mov dword ptr [esp], edi0_2_02EF2E1C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF2DF5 push 00000000h; mov dword ptr [esp], edx0_2_02EF2EAD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF2DF5 push 00000000h; mov dword ptr [esp], ebp0_2_02EF2EC1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6099 push esi; mov dword ptr [esp], FFFF0000h0_2_02EF60A8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6099 push ecx; mov dword ptr [esp], 00005267h0_2_02EF60C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6099 push 00000000h; mov dword ptr [esp], edi0_2_02EF60D9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6099 push ebx; mov dword ptr [esp], 00001000h0_2_02EF60F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6099 push ebx; mov dword ptr [esp], 000FFFFFh0_2_02EF615F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF6099 push ebx; mov dword ptr [esp], 00406194h0_2_02EF6175
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF1B95 push dword ptr [ebp-1Ch]; mov dword ptr [esp], esp0_2_02EF1BF2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF1B95 push 00000000h; mov dword ptr [esp], esi0_2_02EF1CD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF1B95 push 00000000h; mov dword ptr [esp], esi0_2_02EF1D37

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.rundll32.exe.11d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4200, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 408, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02FA12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_02FA12D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001745 LoadLibraryA,GetProcAddress,0_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_02EF2DF5 or edx, dword ptr fs:[00000030h]0_2_02EF2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_049D2DF5 or edx, dword ptr fs:[00000030h]2_2_049D2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_00A62DF5 or edx, dword ptr fs:[00000030h]3_2_00A62DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmpBinary or memory string: Progmanlock