Windows Analysis Report qT9Qk5aKTk.dll

AV Detection:

Multi AV Scanner detection for submitted file

Source: qT9Qk5aKTk.dll	Virustotal: Detection: 80%			Perma Link
Source: qT9Qk5aKTk.dll	Metadefender: Detection: 59%			Perma Link
Source: qT9Qk5aKTk.dll	ReversingLabs: Detection: 82%

Antivirus / Scanner detection for submitted sample

Source: qT9Qk5aKTk.dll

Avira: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 19.0.rundll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 33.2.rundll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 19.2.rundll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 19.0.rundll32.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: qT9Qk5aKTk.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49780 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb& source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb) source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbm/pZ source: WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb3 source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbn.xP source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000023.00000003.363884828.00000000053A3000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbN~g source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbU^ source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb= source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: CoreUIComponents.pdbn'xY source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_02F912D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023E12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_023E12D4

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49824 -> 13.225.29.191:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49887 -> 13.225.29.191:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49887 -> 13.225.29.191:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49935 -> 13.225.29.204:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49935 -> 13.225.29.204:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49938 -> 13.225.29.191:80

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Found strings which match to known social media urls

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//web.vortex.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//web.vortex.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen|https://twitter.com/i/notifications;Ich|#;Abmelden|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play|https://aka.ms/Ixhi8e;me_groove_taskLinks_try|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"&nbsp;&nbsp;&nbsp;Ref 2: "+e.html(t.clientSettings.sid||"000000")+"&nbsp;&nbsp;&nbsp;Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console||{}).timeStamp?console.timeStamp(n):(r.performance||{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen|https://outlook.live.com/mail/deeplink/compose;Kalender|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: WerFault.exe, 00000023.00000002.429475012.0000000005347000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.453464879.0000000004DF2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[1].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[1].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: auction[1].htm.6.dr	String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=_pGcdKMGIS.z.lCTqTjkg1MN5VDhw.LVmKPE.vsvy8xqR9tt
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iab2Data.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: auction[1].htm.6.dr	String found in binary or memory: https://cdn.flurry.com/adTemplates/templates/htmls/clips.html"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clk.tradedoubler.com/click?p=245744&a=3064090&g=21863656
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=245744&a=3064090&g=24545562&epi=de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[1].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[1].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: auction[1].htm.6.dr	String found in binary or memory: https://ir2.beap.gemini.yahoo.com/mbcsc?bv=1.0.0&es=ofrom5sGIS_KXxy9_JDp4mX9JHjHM.c541SmqMEFZwTH
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1631265095&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1631265096&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1631265095&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: auction[1].htm.6.dr	String found in binary or memory: https://policies.oath.com/us/en/oath/privacy/index.html
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: auction[1].htm.6.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: auction[1].htm.6.dr	String found in binary or memory: https://srtb.msn.com:443/notify/viewedg?rid=8579855945c54b10b74180716ce798ce&r=infopane&i=3&
Source: imagestore.dat.4.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAOgGQ4.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=11518&awinaffid=696593&clickref=dech-edge-dhp-infopa
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.awin1.com/cread.php?awinmid=15168&awinaffid=696593&clickref=de-ch-edge-dhp-river
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: ~DF8EB834D22FF64704.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpo
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/die-schulen-sind-am-anschlag-ansteckungen-unter-ki
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/mit-dem-neubau-der-zurich-versicherung-ist-ein-wei
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/z%c3%bcrich/wie-ein-engl%c3%a4nder-seine-schwangere-frau-vor-c
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/betrunkener-kia-fahrer-30-streift-polizeiauto-und-haut-ab/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/blaualgen-tr%c3%bcben-den-z%c3%bcrichsee-bei-freienbach/ar-AAOf
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/frau-hielt-schafe-im-badezimmer-ihrer-mietwohnung/ar-AAOhQkc?oc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-z%c3%bcrich-beerdigt-westtangente-wetzikon/ar-AAOi8HP?oc
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/nach-13-positiven-tests-drei-klassen-m%c3%bcssen-in-quarant%c3%
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/v%c3%b6llig-absurd-f%c3%bcnftkl%c3%a4ssler-m%c3%bcssen-trotz-qu
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport/other/seit-corona-kommt-es-vermehrt-zu-t%c3%a4tlichkeiten/ar-AAOf1Pv
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[1].json.6.dr	String found in binary or memory: https://www.stroeer.de/konvergenz-konzepte/daten-technologien/stroeer-ssp/datenschutz-ssp.html
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.7442770494067928 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-AliveCookie: IDE=AHWqTUmLaOp9iEghuZm4P0dJw9hUfO3C-7WsvHHj8XxLUXDn8JvgU1zZASjuR4p3
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F07804453bf90da635cf952e3d393ab12.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F26b7c43e8735f7408c60e41fb7e91ecd.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F11b9f069e5e00ff6dd3050259af20493.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/ljDNkkzbV4a6qGMM6/1HExUGmQXVwO/frwWBEjdrZ4/d5S8UlSiYa0DzX/el9J2qXVIUyYCxMHHr91X/kizLttMGapdo5SvF/olXlCBP7aPqDsmB/ICQ2HKBamF1i_2Fxdj/ZsDmjnqFK/ytn9Ymr2xJl5Qy4kiXVc/IQDWlUGPzShrNYAjXzf/JPSl_2BD7pWwAJFNY_2B0f/3A3oDAh_2BF9_/2BxYBJaFI/UpWol9RI.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/cCdYQdt2tX8RhHk/neYfmVtOu_2BWHOxaX/ecV9VJIhq/XE4M5D_2FzTYipgQVzFy/24_2BtaWyVjXI2M_2FX/wa66wgzPqWCXC0kGRqyEUL/snesyfGZeTgvJ/569YwYUH/U86MzznZ70JhRKq9sWcaTd1/Hzb_2FFW0u/GZ5sESPD_2B5JLMQh/7K5kxREyrQ1n/mKmdzEvi70Tv5/6xorN.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/pHWWVyKJpE2g/nNZcTMutRbw/CCuOk7RvdVCDGz/STh4ftwA407S9VDDkvBy4/G7M_2BJ4E2bGBbf7/N4t3UKgsWntjM7M/mhCOIjxjlHyX4RUX7Q/Rdq3ib1hF/2fWqDSaJ9GA2yVZ_2Bgz/9iFlTX9OFyKHKxrjQJU/JYzhGNAUNkUKgLpHHU6bLf/nZUT_2BcMHeCkKwcWj/aMt.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/1mUl4vSxMxI/e7HhiI3PfruX2m/qXVt2BLImZpNU2AUWYoPx/KJXoqE51DtcFrNZ_/2BgDE50_2B2je1s/48lZWMnPdCpHd_2FFy/Vcq64rYip/9aN0bRvWizmkP5fXR2T3/jiHfK2wSGdTtZ8VP53I/SUMESuf_2FBQAkd3zXxfOT/_2BcxECgxKRoa/s8ZW5dhr/E0BgSy4u3Bh6HSi/j.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.70.134:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.2.70:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.19.102:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.7:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.23:443 -> 192.168.2.7:49780 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

PE file has nameless sections

Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: qT9Qk5aKTk.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 820

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00402154		0_2_00402154
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F94094		0_2_02F94094
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F997F2		0_2_02F997F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F9B11C		0_2_02F9B11C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_026D2154		2_2_026D2154
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023E4094		2_2_023E4094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023EB11C		2_2_023EB11C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023E97F2		2_2_023E97F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031BB11C		3_2_031BB11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031B97F2		3_2_031B97F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031B4094		3_2_031B4094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031B554A		3_2_031B554A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031B27A7		3_2_031B27A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031B44A2		3_2_031B44A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_04C34094		33_2_04C34094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_04C397F2		33_2_04C397F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_04C3B11C		33_2_04C3B11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_04C344A2		33_2_04C344A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_04C327A7		33_2_04C327A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_04C3554A		33_2_04C3554A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_050AB11C		43_2_050AB11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_050A97F2		43_2_050A97F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_050A4094		43_2_050A4094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_050A554A		43_2_050A554A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_050A27A7		43_2_050A27A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_050A44A2		43_2_050A44A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_04C34094		44_2_04C34094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_04C397F2		44_2_04C397F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_04C3B11C		44_2_04C3B11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_04C344A2		44_2_04C344A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_04C327A7		44_2_04C327A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_04C3554A		44_2_04C3554A

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00401D9F NtMapViewOfSection,		0_2_00401D9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00401EB5 GetProcAddress,NtCreateSection,memset,		0_2_00401EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00402375 NtQueryVirtualMemory,		0_2_00402375
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F983B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_02F983B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F9B341 NtQueryVirtualMemory,		0_2_02F9B341
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360066 NtAllocateVirtualMemory,		0_2_01360066
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0136009C NtAllocateVirtualMemory,		0_2_0136009C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360285 NtProtectVirtualMemory,		0_2_01360285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_026D1EB5 GetProcAddress,NtCreateSection,memset,		2_2_026D1EB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_026D1D9F NtMapViewOfSection,		2_2_026D1D9F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_026D2375 NtQueryVirtualMemory,		2_2_026D2375
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023E83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		2_2_023E83B7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023EB341 NtQueryVirtualMemory,		2_2_023EB341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E009C NtAllocateVirtualMemory,		5_2_035E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E0066 NtAllocateVirtualMemory,		5_2_035E0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E0285 NtProtectVirtualMemory,		5_2_035E0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF009C NtAllocateVirtualMemory,		9_2_02FF009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF0066 NtAllocateVirtualMemory,		9_2_02FF0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF0285 NtProtectVirtualMemory,		9_2_02FF0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE0066 NtAllocateVirtualMemory,		12_2_02AE0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE0285 NtProtectVirtualMemory,		12_2_02AE0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE009C NtAllocateVirtualMemory,		12_2_02AE009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_03290285 NtProtectVirtualMemory,		19_2_03290285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_03290066 NtAllocateVirtualMemory,		19_2_03290066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0329009C NtAllocateVirtualMemory,		19_2_0329009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A0066 NtAllocateVirtualMemory,		24_2_008A0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A0285 NtProtectVirtualMemory,		24_2_008A0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A009C NtAllocateVirtualMemory,		24_2_008A009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_0092009C NtAllocateVirtualMemory,		29_2_0092009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_00920066 NtAllocateVirtualMemory,		29_2_00920066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_00920285 NtProtectVirtualMemory,		29_2_00920285

Sample file is different than original file name gathered from version info

Source: qT9Qk5aKTk.dll

Binary or memory string: OriginalFilenameRPCTEST.DLL vs qT9Qk5aKTk.dll

PE file contains strange resources

Source: qT9Qk5aKTk.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qT9Qk5aKTk.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior

PE file contains more sections than normal

Source: qT9Qk5aKTk.dll

Static PE information: Number of sections : 12 > 10

Sample is known by Antivirus

Source: qT9Qk5aKTk.dll	Virustotal: Detection: 80%
Source: qT9Qk5aKTk.dll	Metadefender: Detection: 59%
Source: qT9Qk5aKTk.dll	ReversingLabs: Detection: 82%

PE file has an executable .text section and no other executable section

Source: qT9Qk5aKTk.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:82962 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 820
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:17428 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 816
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:82974 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:82962 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:17428 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2760 CREDAT:82974 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{86DBC09F-1262-11EC-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF8A471FFBEDEC3971.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal92.troj.winDLL@62/162@17/8

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F9757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_02F9757F

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2736
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6840

Reads the hosts file

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Binary contains paths to debug symbols

Source:	Binary string: WinTypes.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb& source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411166142.0000000005353000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb) source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbm/pZ source: WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb3 source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbn.xP source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000023.00000003.363884828.00000000053A3000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdbN~g source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdbU^ source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb= source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000023.00000003.376618336.00000000056D2000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411054361.0000000005342000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000023.00000003.376792297.00000000056D0000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411820381.0000000005340000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000023.00000003.376845164.00000000056D8000.00000004.00000040.sdmp, WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 00000023.00000003.376951522.00000000056E4000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp
Source:	Binary string: CoreUIComponents.pdbn'xY source: WerFault.exe, 00000029.00000003.411872528.0000000005349000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000023.00000003.376583974.00000000055C1000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000003.411360352.0000000005171000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00402143 push ecx; ret		0_2_00402153
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004020F0 push ecx; ret		0_2_004020F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F9EAE5 push ds; retf		0_2_02F9EAEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F9E4C9 push ecx; ret		0_2_02F9E4CA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F9AD50 push ecx; ret		0_2_02F9AD59
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F9B10B push ecx; ret		0_2_02F9B11B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360005 push dword ptr [ebp-0000027Ch]; ret		0_2_01360065
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360066 push dword ptr [ebp-0000027Ch]; ret		0_2_0136009B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360397 push dword ptr [esp+0Ch]; ret		0_2_013603AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360397 push dword ptr [esp+10h]; ret		0_2_013603EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0136009C push dword ptr [ebp-0000027Ch]; ret		0_2_01360231
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0136009C push dword ptr [ebp-00000284h]; ret		0_2_01360284
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0136009C push dword ptr [esp+10h]; ret		0_2_01360396
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_026D20F0 push ecx; ret		2_2_026D20F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_026D2143 push ecx; ret		2_2_026D2153
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023EEAE5 push ds; retf		2_2_023EEAEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023EE4C9 push ecx; ret		2_2_023EE4CA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023EB10B push ecx; ret		2_2_023EB11B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023EAD50 push ecx; ret		2_2_023EAD59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031BB10B push ecx; ret		3_2_031BB11B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031BAD50 push ecx; ret		3_2_031BAD59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031BE4C9 push ecx; ret		3_2_031BE4CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_031BEAE5 push ds; retf		3_2_031BEAEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F009C push dword ptr [ebp-0000027Ch]; ret		3_2_029F0231
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F009C push dword ptr [ebp-00000284h]; ret		3_2_029F0284
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F009C push dword ptr [esp+10h]; ret		3_2_029F0396
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F0005 push dword ptr [ebp-0000027Ch]; ret		3_2_029F0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F0066 push dword ptr [ebp-0000027Ch]; ret		3_2_029F009B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F0397 push dword ptr [esp+0Ch]; ret		3_2_029F03AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F0397 push dword ptr [esp+10h]; ret		3_2_029F03EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E009C push dword ptr [ebp-0000027Ch]; ret		5_2_035E0231

PE file contains sections with non-standard names

Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00401745 LoadLibraryA,GetProcAddress,

0_2_00401745

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 35 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 33 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 44 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 39 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 42 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 31 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4364	Thread sleep count: 49 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7680	Thread sleep time: -1667865539s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 7680	Thread sleep count: 32 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.0 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.0 %

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_02F912D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_023E12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_023E12D4

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: rundll32.exe, 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp	Binary or memory string: vortex.data.microsoft.com/images/NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGR.avidpj8Cz|
Source: rundll32.exe, 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp	Binary or memory string: .avi2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGRer=12&id=7256&crhhp
Source: {BC00BC65-1262-11EC-90E6-ECF4BB82F7E0}.dat.4.dr	Binary or memory string: http://web.vortex.data.microsoft.com/images/NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGR.avi
Source: rundll32.exe, 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp	Binary or memory string: NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGRHHz
Source: WerFault.exe, 00000023.00000002.429475012.0000000005347000.00000004.00000001.sdmp, WerFault.exe, 00000029.00000002.456974785.0000000004EC1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000023.00000002.429022901.000000000531C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(
Source: rundll32.exe, 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp	Binary or memory string: NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGR
Source: {BC00BC65-1262-11EC-90E6-ECF4BB82F7E0}.dat.4.dr	Binary or memory string: .microsoft.com/images/NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktRoot Entry
Source: WerFault.exe, 00000023.00000003.419054530.0000000005387000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWK
Source: {BC00BC65-1262-11EC-90E6-ECF4BB82F7E0}.dat.4.dr	Binary or memory string: http://web.vortex.data.microsoft.com/images/NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGR.aviRoot Entry
Source: rundll32.exe, 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp	Binary or memory string: ex.data.microsoft.com/images/NqcQT2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGR.avi
Source: rundll32.exe, 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp	Binary or memory string: 2bUNfb5m1bY/JOi0y0F_2FTjhau/s06TEa7zT3uWBV5ZFK/IVmCIaBb7/pHXnbuHsY1ktrzz3wzNw/Jb7NfwdMI1o9YIX7z4a/3_2F_2BCQdpj8CzYVwfmwJ/Waj5rQa6FOgN4/rgZW23AI/_2F6NVJQTk3co0bzzkm2CcG/ukMCPqssCd/noM_2BzVPdJgHJ1BI/yuulwOQyfv1i/bedOT0I1e/X0F0GU2Z/hCKGR

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00401745 LoadLibraryA,GetProcAddress,

0_2_00401745

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360469 mov eax, dword ptr fs:[00000030h]		0_2_01360469
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01360397 mov eax, dword ptr fs:[00000030h]		0_2_01360397
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0136009C mov eax, dword ptr fs:[00000030h]		0_2_0136009C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013603F0 mov eax, dword ptr fs:[00000030h]		0_2_013603F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F009C mov eax, dword ptr fs:[00000030h]		3_2_029F009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F0469 mov eax, dword ptr fs:[00000030h]		3_2_029F0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F0397 mov eax, dword ptr fs:[00000030h]		3_2_029F0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_029F03F0 mov eax, dword ptr fs:[00000030h]		3_2_029F03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E009C mov eax, dword ptr fs:[00000030h]		5_2_035E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E0397 mov eax, dword ptr fs:[00000030h]		5_2_035E0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E03F0 mov eax, dword ptr fs:[00000030h]		5_2_035E03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_035E0469 mov eax, dword ptr fs:[00000030h]		5_2_035E0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF009C mov eax, dword ptr fs:[00000030h]		9_2_02FF009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF0397 mov eax, dword ptr fs:[00000030h]		9_2_02FF0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF03F0 mov eax, dword ptr fs:[00000030h]		9_2_02FF03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_02FF0469 mov eax, dword ptr fs:[00000030h]		9_2_02FF0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE0469 mov eax, dword ptr fs:[00000030h]		12_2_02AE0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE009C mov eax, dword ptr fs:[00000030h]		12_2_02AE009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE0397 mov eax, dword ptr fs:[00000030h]		12_2_02AE0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_02AE03F0 mov eax, dword ptr fs:[00000030h]		12_2_02AE03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_03290469 mov eax, dword ptr fs:[00000030h]		19_2_03290469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_0329009C mov eax, dword ptr fs:[00000030h]		19_2_0329009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_032903F0 mov eax, dword ptr fs:[00000030h]		19_2_032903F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 19_2_03290397 mov eax, dword ptr fs:[00000030h]		19_2_03290397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A0469 mov eax, dword ptr fs:[00000030h]		24_2_008A0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A009C mov eax, dword ptr fs:[00000030h]		24_2_008A009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A03F0 mov eax, dword ptr fs:[00000030h]		24_2_008A03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_008A0397 mov eax, dword ptr fs:[00000030h]		24_2_008A0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_009203F0 mov eax, dword ptr fs:[00000030h]		29_2_009203F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_00920397 mov eax, dword ptr fs:[00000030h]		29_2_00920397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_0092009C mov eax, dword ptr fs:[00000030h]		29_2_0092009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_00920469 mov eax, dword ptr fs:[00000030h]		29_2_00920469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 30_2_029E009C mov eax, dword ptr fs:[00000030h]		30_2_029E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 30_2_029E0397 mov eax, dword ptr fs:[00000030h]		30_2_029E0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 30_2_029E03F0 mov eax, dword ptr fs:[00000030h]		30_2_029E03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 30_2_029E0469 mov eax, dword ptr fs:[00000030h]		30_2_029E0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_02DE009C mov eax, dword ptr fs:[00000030h]		33_2_02DE009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_02DE0469 mov eax, dword ptr fs:[00000030h]		33_2_02DE0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_02DE03F0 mov eax, dword ptr fs:[00000030h]		33_2_02DE03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_02DE0397 mov eax, dword ptr fs:[00000030h]		33_2_02DE0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_029D009C mov eax, dword ptr fs:[00000030h]		36_2_029D009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_029D0397 mov eax, dword ptr fs:[00000030h]		36_2_029D0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_029D03F0 mov eax, dword ptr fs:[00000030h]		36_2_029D03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 36_2_029D0469 mov eax, dword ptr fs:[00000030h]		36_2_029D0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 38_2_00600469 mov eax, dword ptr fs:[00000030h]		38_2_00600469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 38_2_006003F0 mov eax, dword ptr fs:[00000030h]		38_2_006003F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 38_2_00600397 mov eax, dword ptr fs:[00000030h]		38_2_00600397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 38_2_0060009C mov eax, dword ptr fs:[00000030h]		38_2_0060009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_02AA0469 mov eax, dword ptr fs:[00000030h]		40_2_02AA0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_02AA009C mov eax, dword ptr fs:[00000030h]		40_2_02AA009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_02AA03F0 mov eax, dword ptr fs:[00000030h]		40_2_02AA03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 40_2_02AA0397 mov eax, dword ptr fs:[00000030h]		40_2_02AA0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_029E009C mov eax, dword ptr fs:[00000030h]		43_2_029E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_029E0469 mov eax, dword ptr fs:[00000030h]		43_2_029E0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_029E0397 mov eax, dword ptr fs:[00000030h]		43_2_029E0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 43_2_029E03F0 mov eax, dword ptr fs:[00000030h]		43_2_029E03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_029B009C mov eax, dword ptr fs:[00000030h]		44_2_029B009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_029B0469 mov eax, dword ptr fs:[00000030h]		44_2_029B0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_029B0397 mov eax, dword ptr fs:[00000030h]		44_2_029B0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 44_2_029B03F0 mov eax, dword ptr fs:[00000030h]		44_2_029B03F0

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.522901850.0000000001900000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.526447012.0000000002D40000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.527266541.00000000033E0000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.343606007.0000000003920000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000000.369950611.0000000002AE0000.00000002.00020000.sdmp, rundll32.exe, 00000021.00000002.526535175.00000000036E0000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000000.00000002.522901850.0000000001900000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.526447012.0000000002D40000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.527266541.00000000033E0000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.343606007.0000000003920000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000000.369950611.0000000002AE0000.00000002.00020000.sdmp, rundll32.exe, 00000021.00000002.526535175.00000000036E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.522901850.0000000001900000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.526447012.0000000002D40000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.527266541.00000000033E0000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.343606007.0000000003920000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000000.369950611.0000000002AE0000.00000002.00020000.sdmp, rundll32.exe, 00000021.00000002.526535175.00000000036E0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.522901850.0000000001900000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.526447012.0000000002D40000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.527266541.00000000033E0000.00000002.00020000.sdmp, rundll32.exe, 00000013.00000000.343606007.0000000003920000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000000.369950611.0000000002AE0000.00000002.00020000.sdmp, rundll32.exe, 00000021.00000002.526535175.00000000036E0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F9269C cpuid

0_2_02F9269C

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0040102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_0040102F

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00401850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401850

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02F9269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_02F9269C

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 0000002C.00000003.488597994.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322676857.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474137548.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322202508.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473987515.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322499280.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488543169.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504757746.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417091528.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.530490300.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488696812.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416892582.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488440717.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416449935.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.473902712.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505290500.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474356584.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417147272.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416620379.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.505377175.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488723167.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504698368.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.417041948.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474088169.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.528892428.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504300183.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322381939.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322406561.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504841805.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322337741.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474318739.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322575665.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504617318.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.504419460.00000000033E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488754897.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474399932.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488667528.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.488635694.0000000006C68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416772424.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.530985686.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.322291731.0000000005168000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.474430335.0000000004CC8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.416968580.00000000056A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: 25.2.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.47e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.26d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.rundll32.exe.610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.3610000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.29f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.33b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.32a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.2df0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.27c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.32a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.rundll32.exe.2a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.rundll32.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.rundll32.exe.3ef0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.rundll32.exe.2ad0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.310878760.00000000033B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.420794237.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.345060840.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.518028253.0000000001420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.294274391.0000000003610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.522287201.0000000002CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.522835823.00000000026D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.520736013.0000000002DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.340961934.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.441408261.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.426506350.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.502483591.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.366167651.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.346648661.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.512763307.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.433128810.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329480680.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.513121198.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.464297747.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.380004706.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.523877392.00000000027C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.305530234.00000000047E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.372926133.00000000049A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.438165350.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.342868805.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320841608.00000000007F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.459018631.0000000000510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.389489795.00000000029F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.364022083.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.347833864.0000000000920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.371029885.0000000003EF0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.477089969.0000000000610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.512650162.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.361319898.0000000000510000.00000040.00000001.sdmp, type: MEMORY