Windows Analysis Report qT9Qk5aKTk.dll

AV Detection:

Multi AV Scanner detection for submitted file

Source: qT9Qk5aKTk.dll	Virustotal: Detection: 80%			Perma Link
Source: qT9Qk5aKTk.dll	Metadefender: Detection: 59%			Perma Link
Source: qT9Qk5aKTk.dll	ReversingLabs: Detection: 82%

Antivirus / Scanner detection for submitted sample

Source: qT9Qk5aKTk.dll

Avira: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.loaddll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.regsvr32.exe.5e0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 31.2.rundll32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: qT9Qk5aKTk.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49821 version: TLS 1.2

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00EC12D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C812D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00C812D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B312D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		10_2_04B312D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_054712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		12_2_054712D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		17_2_04F412D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052D12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		29_2_052D12D4

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49824 -> 13.225.29.191:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49887 -> 13.225.29.191:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49887 -> 13.225.29.191:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.7:49935 -> 13.225.29.204:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49935 -> 13.225.29.204:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.7:49938 -> 13.225.29.191:80

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fimages.maennersache.de%2Fkunde-will-150-packungen-klopapier-umtauschen-john-paul-drake%2Cid%3D73f41081%2Cb%3Dmaennersache%2Cw%3D1600%2Crm%3Dsk.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2F824258cd-2488-4e7c-b171-dad87f56f610_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5c635ff03c0adc713f159b2abe690081.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fc3cfcb8c707b14064f9cad58b478df43.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F6375ef5dcb44b841a2c82f366826a986.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F5f3d7819fc402dab11ff0cbe39c46367.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/MouQH3qgSHj8rVq2CjdZ/guD6i2fAIsR0IrZ7zv_/2Fg884tCuKHo7vJx28ckOK/PeUsib7MohdVp/hsP2dh6G/LbOHfPo3POSkJrn8i6_2FAi/5MivSFUwCP/GbFXfy5Ss56TDN93M/Lmrkp1CfI0wl/UQ_2FNpOa3h/8j_2FJtcVth8pZ/xW1yFjsbSZ4ddCtjBXOBw/FadwJ_2F/5k0k.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/9sYl8HCwVTgVyQ/NT8tJmO80ConCL2bjdFpK/YmrgZEf9KiUxgNmM/mbsOKShkLL9xEyV/cqM19yrWFAKIfNZCre/1_2F2h8X8/jegaI0S3pTjU6iR1JpPX/UMhOIwx5PH6P2vnzG0z/rGk07QRgyLizPAe2h48XfS/OWkfSj0_2F4iO/h7HzpUkv/m1kaqwRRUSi9pYEVBNe2Vsg/k_2FWV7h/Of76U6bg46X/dpq.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/SYju0gEPY/daXUIALH6wAr_2FEeL7Y/6GIgSGWYRYPOXzpvhXM/3guBTTFjN4dorGgaYOMkm4/M_2Bjjmvlz4ur/UEsZa_2B/wtLFrALI7COJAH4Q2eJxA3E/X6kgoUtw4W/_2FEmmXCN8gAZkdpR/hFpN7ViLd8Sb/HUuTC1Ynxdq/BFB70oLC0oipHY/frptiWELKhVA4yo7R_2Bx/tVP.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/nGZ4P_2FwoiJjdC/WbaZyFGl8u4o5V_2Bt/3MW1dlOE3/XNAi9tLxJCuE0YPRtZlT/uSBAv7K7l3rJyZ38tNQ/bWQ8urEO340TOAzpTLrfn1/g6N8UXuxX3Z6B/2PtIG78y/5FZLGxch4duFejHp2UCYdv6/DXApgqy328/SmC86X3WgjhyNBdkg/98vDKpf2NWlj/jd6j019UoWb/RKR_2BwuTm2z0Lvh4aKdTS/q.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.5:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49817 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49821 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

PE file has nameless sections

Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: qT9Qk5aKTk.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00402154		0_2_00402154
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4094		0_2_00EC4094
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC97F2		0_2_00EC97F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB11C		0_2_00ECB11C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_005E2154		2_2_005E2154
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C84094		2_2_00C84094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C897F2		2_2_00C897F2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C8B11C		2_2_00C8B11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B34094		10_2_04B34094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B397F2		10_2_04B397F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B3B11C		10_2_04B3B11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0547B11C		12_2_0547B11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_054797F2		12_2_054797F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_05474094		12_2_05474094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F44094		17_2_04F44094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F497F2		17_2_04F497F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F4B11C		17_2_04F4B11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052DB11C		29_2_052DB11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052D97F2		29_2_052D97F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052D4094		29_2_052D4094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_046B4094		31_2_046B4094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_046BB11C		31_2_046BB11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_046B97F2		31_2_046B97F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_046B44A2		31_2_046B44A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_046B554A		31_2_046B554A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 31_2_046B27A7		31_2_046B27A7

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00401D9F NtMapViewOfSection,		0_2_00401D9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00401EB5 GetProcAddress,NtCreateSection,memset,		0_2_00401EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00402375 NtQueryVirtualMemory,		0_2_00402375
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_00EC83B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB341 NtQueryVirtualMemory,		0_2_00ECB341
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40285 NtProtectVirtualMemory,		0_2_00E40285
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E4009C NtAllocateVirtualMemory,		0_2_00E4009C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40066 NtAllocateVirtualMemory,		0_2_00E40066
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_005E1D9F NtMapViewOfSection,		2_2_005E1D9F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_005E1EB5 GetProcAddress,NtCreateSection,memset,		2_2_005E1EB5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_005E2375 NtQueryVirtualMemory,		2_2_005E2375
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C883B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		2_2_00C883B7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C8B341 NtQueryVirtualMemory,		2_2_00C8B341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF009C NtAllocateVirtualMemory,		3_2_00BF009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0066 NtAllocateVirtualMemory,		3_2_00BF0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0285 NtProtectVirtualMemory,		3_2_00BF0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0097009C NtAllocateVirtualMemory,		5_2_0097009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00970066 NtAllocateVirtualMemory,		5_2_00970066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00970285 NtProtectVirtualMemory,		5_2_00970285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA0066 NtAllocateVirtualMemory,		7_2_00CA0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA0285 NtProtectVirtualMemory,		7_2_00CA0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA009C NtAllocateVirtualMemory,		7_2_00CA009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C90285 NtProtectVirtualMemory,		9_2_00C90285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C90066 NtAllocateVirtualMemory,		9_2_00C90066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C9009C NtAllocateVirtualMemory,		9_2_00C9009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B383B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		10_2_04B383B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B3B341 NtQueryVirtualMemory,		10_2_04B3B341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A80285 NtProtectVirtualMemory,		10_2_00A80285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A8009C NtAllocateVirtualMemory,		10_2_00A8009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A80066 NtAllocateVirtualMemory,		10_2_00A80066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_054783B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		12_2_054783B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0547B341 NtQueryVirtualMemory,		12_2_0547B341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_03370066 NtAllocateVirtualMemory,		12_2_03370066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0337009C NtAllocateVirtualMemory,		12_2_0337009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_03370285 NtProtectVirtualMemory,		12_2_03370285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F483B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		17_2_04F483B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F4B341 NtQueryVirtualMemory,		17_2_04F4B341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B009C NtAllocateVirtualMemory,		20_2_033B009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B0066 NtAllocateVirtualMemory,		20_2_033B0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B0285 NtProtectVirtualMemory,		20_2_033B0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_00A00066 NtAllocateVirtualMemory,		24_2_00A00066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F009C NtAllocateVirtualMemory,		26_2_043F009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F0066 NtAllocateVirtualMemory,		26_2_043F0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F0285 NtProtectVirtualMemory,		26_2_043F0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC009C NtAllocateVirtualMemory,		27_2_00BC009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC0285 NtProtectVirtualMemory,		27_2_00BC0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC0066 NtAllocateVirtualMemory,		27_2_00BC0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052D83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		29_2_052D83B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052DB341 NtQueryVirtualMemory,		29_2_052DB341
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E009C NtAllocateVirtualMemory,		33_2_001E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E0066 NtAllocateVirtualMemory,		33_2_001E0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E0285 NtProtectVirtualMemory,		33_2_001E0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E0066 NtAllocateVirtualMemory,		35_2_030E0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E0285 NtProtectVirtualMemory,		35_2_030E0285
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E009C NtAllocateVirtualMemory,		35_2_030E009C

PE file contains strange resources

Source: qT9Qk5aKTk.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qT9Qk5aKTk.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior

PE file contains more sections than normal

Source: qT9Qk5aKTk.dll

Static PE information: Number of sections : 12 > 10

Sample is known by Antivirus

Source: qT9Qk5aKTk.dll	Virustotal: Detection: 80%
Source: qT9Qk5aKTk.dll	Metadefender: Detection: 59%
Source: qT9Qk5aKTk.dll	ReversingLabs: Detection: 82%

PE file has an executable .text section and no other executable section

Source: qT9Qk5aKTk.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17428 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82954 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17440 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82974 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Exequatur
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Meith
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17458 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17462 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Aquatically			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Episodically			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Kakapo			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Overdistantness			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Pseudopodal			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Microphage			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Cytost			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Reattach			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Vigia			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Preallable			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Amphistomous			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Americanistic			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Suprahumanity			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Eupyrchroite			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Splitbeak			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Andirin			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Drail			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Exequatur			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qT9Qk5aKTk.dll,Meith			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17428 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82954 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17440 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:82974 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17458 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5080 CREDAT:17462 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: unknown unknown			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DAC6F608-1264-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9BFE7BA6DBA411D3.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal96.troj.evad.winDLL@64/163@14/7

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00EC757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00EC757F

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00402143 push ecx; ret		0_2_00402153
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_004020F0 push ecx; ret		0_2_004020F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECEAE5 push ds; retf		0_2_00ECEAEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECE4C9 push ecx; ret		0_2_00ECE4CA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECAD50 push ecx; ret		0_2_00ECAD59
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB10B push ecx; ret		0_2_00ECB11B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40397 push dword ptr [esp+0Ch]; ret		0_2_00E403AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40397 push dword ptr [esp+10h]; ret		0_2_00E403EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E4009C push dword ptr [ebp-0000027Ch]; ret		0_2_00E40231
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E4009C push dword ptr [ebp-00000284h]; ret		0_2_00E40284
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E4009C push dword ptr [esp+10h]; ret		0_2_00E40396
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40066 push dword ptr [ebp-0000027Ch]; ret		0_2_00E4009B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40005 push dword ptr [ebp-0000027Ch]; ret		0_2_00E40065
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_005E2143 push ecx; ret		2_2_005E2153
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_005E20F0 push ecx; ret		2_2_005E20F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C8E4C9 push ecx; ret		2_2_00C8E4CA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C8EAE5 push ds; retf		2_2_00C8EAEB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C8AD50 push ecx; ret		2_2_00C8AD59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C8B10B push ecx; ret		2_2_00C8B11B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF009C push dword ptr [ebp-0000027Ch]; ret		3_2_00BF0231
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF009C push dword ptr [ebp-00000284h]; ret		3_2_00BF0284
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF009C push dword ptr [esp+10h]; ret		3_2_00BF0396
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0397 push dword ptr [esp+0Ch]; ret		3_2_00BF03AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0397 push dword ptr [esp+10h]; ret		3_2_00BF03EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0066 push dword ptr [ebp-0000027Ch]; ret		3_2_00BF009B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0005 push dword ptr [ebp-0000027Ch]; ret		3_2_00BF0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00970397 push dword ptr [esp+0Ch]; ret		5_2_009703AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00970397 push dword ptr [esp+10h]; ret		5_2_009703EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0097009C push dword ptr [ebp-0000027Ch]; ret		5_2_00970231
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0097009C push dword ptr [ebp-00000284h]; ret		5_2_00970284
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0097009C push dword ptr [esp+10h]; ret		5_2_00970396

PE file contains sections with non-standard names

Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:
Source: qT9Qk5aKTk.dll	Static PE information: section name:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00401745 LoadLibraryA,GetProcAddress,

0_2_00401745

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qT9Qk5aKTk.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6528	Thread sleep time: -1667865539s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6528	Thread sleep count: 224 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6528	Thread sleep time: -112000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00EC12D4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00C812D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		2_2_00C812D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_04B312D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		10_2_04B312D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_054712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		12_2_054712D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_04F412D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		17_2_04F412D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 29_2_052D12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		29_2_052D12D4

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00401745 LoadLibraryA,GetProcAddress,

0_2_00401745

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E403F0 mov eax, dword ptr fs:[00000030h]		0_2_00E403F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40397 mov eax, dword ptr fs:[00000030h]		0_2_00E40397
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E4009C mov eax, dword ptr fs:[00000030h]		0_2_00E4009C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E40469 mov eax, dword ptr fs:[00000030h]		0_2_00E40469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF009C mov eax, dword ptr fs:[00000030h]		3_2_00BF009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0397 mov eax, dword ptr fs:[00000030h]		3_2_00BF0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF03F0 mov eax, dword ptr fs:[00000030h]		3_2_00BF03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00BF0469 mov eax, dword ptr fs:[00000030h]		3_2_00BF0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00970397 mov eax, dword ptr fs:[00000030h]		5_2_00970397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_009703F0 mov eax, dword ptr fs:[00000030h]		5_2_009703F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_0097009C mov eax, dword ptr fs:[00000030h]		5_2_0097009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_00970469 mov eax, dword ptr fs:[00000030h]		5_2_00970469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA0469 mov eax, dword ptr fs:[00000030h]		7_2_00CA0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA009C mov eax, dword ptr fs:[00000030h]		7_2_00CA009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA03F0 mov eax, dword ptr fs:[00000030h]		7_2_00CA03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00CA0397 mov eax, dword ptr fs:[00000030h]		7_2_00CA0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C90469 mov eax, dword ptr fs:[00000030h]		9_2_00C90469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C9009C mov eax, dword ptr fs:[00000030h]		9_2_00C9009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C903F0 mov eax, dword ptr fs:[00000030h]		9_2_00C903F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00C90397 mov eax, dword ptr fs:[00000030h]		9_2_00C90397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A8009C mov eax, dword ptr fs:[00000030h]		10_2_00A8009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A80469 mov eax, dword ptr fs:[00000030h]		10_2_00A80469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A80397 mov eax, dword ptr fs:[00000030h]		10_2_00A80397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00A803F0 mov eax, dword ptr fs:[00000030h]		10_2_00A803F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_03370397 mov eax, dword ptr fs:[00000030h]		12_2_03370397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_033703F0 mov eax, dword ptr fs:[00000030h]		12_2_033703F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_03370469 mov eax, dword ptr fs:[00000030h]		12_2_03370469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0337009C mov eax, dword ptr fs:[00000030h]		12_2_0337009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B009C mov eax, dword ptr fs:[00000030h]		20_2_033B009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B03F0 mov eax, dword ptr fs:[00000030h]		20_2_033B03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B0397 mov eax, dword ptr fs:[00000030h]		20_2_033B0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 20_2_033B0469 mov eax, dword ptr fs:[00000030h]		20_2_033B0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F009C mov eax, dword ptr fs:[00000030h]		26_2_043F009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F0397 mov eax, dword ptr fs:[00000030h]		26_2_043F0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F03F0 mov eax, dword ptr fs:[00000030h]		26_2_043F03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 26_2_043F0469 mov eax, dword ptr fs:[00000030h]		26_2_043F0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC009C mov eax, dword ptr fs:[00000030h]		27_2_00BC009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC0397 mov eax, dword ptr fs:[00000030h]		27_2_00BC0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC03F0 mov eax, dword ptr fs:[00000030h]		27_2_00BC03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 27_2_00BC0469 mov eax, dword ptr fs:[00000030h]		27_2_00BC0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E009C mov eax, dword ptr fs:[00000030h]		33_2_001E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E0397 mov eax, dword ptr fs:[00000030h]		33_2_001E0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E03F0 mov eax, dword ptr fs:[00000030h]		33_2_001E03F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 33_2_001E0469 mov eax, dword ptr fs:[00000030h]		33_2_001E0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E0469 mov eax, dword ptr fs:[00000030h]		35_2_030E0469
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E009C mov eax, dword ptr fs:[00000030h]		35_2_030E009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E0397 mov eax, dword ptr fs:[00000030h]		35_2_030E0397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 35_2_030E03F0 mov eax, dword ptr fs:[00000030h]		35_2_030E03F0

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\qT9Qk5aKTk.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.647599368.0000000001100000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.650368021.0000000003110000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.650410553.0000000003460000.00000002.00020000.sdmp, rundll32.exe, 0000001F.00000002.651017968.00000000032A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00EC269C cpuid

0_2_00EC269C

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0040102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_0040102F

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00401850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_00401850

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00EC269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00EC269C

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.364222279.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468105899.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468188061.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364616223.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.649016082.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375358568.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.652107409.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414632336.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375444270.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468218845.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.651754848.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375275190.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364320937.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364389953.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375222083.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468255149.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414450322.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414502049.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375580970.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.333121153.0000000006AF8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.648129313.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468276277.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375181159.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364453388.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414320429.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414602020.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468293136.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414538088.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468154438.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375508831.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414382047.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364561415.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.375609486.00000000010A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.468055904.0000000003008000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364525253.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.364645701.0000000005318000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.414418494.0000000005028000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 1132, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: 12.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.rundll32.exe.d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.rundll32.exe.4420000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.c70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.rundll32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.33c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.rundll32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.e90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.rundll32.exe.30f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.rundll32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.ed0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.6a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.e70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.rundll32.exe.ec0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.d40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.646505839.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.647248023.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.646366246.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.420703816.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.369842357.0000000004420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.429260721.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.446457237.0000000002FF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.395181120.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.304746856.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.644892830.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.644375086.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.644275596.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.404550110.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.458755671.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.325365679.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.358824695.0000000000A10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.413264520.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.330683030.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.646583406.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.298453588.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.342607248.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.290124643.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.346644009.0000000000E90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.378757708.00000000034B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.365645310.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.645252474.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.385594405.0000000000400000.00000040.00000001.sdmp, type: MEMORY