Windows Analysis Report MGrYFpGLQ7.dll

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: MGrYFpGLQ7.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: MGrYFpGLQ7.dll	Virustotal: Detection: 82%			Perma Link
Source: MGrYFpGLQ7.dll	Metadefender: Detection: 59%			Perma Link
Source: MGrYFpGLQ7.dll	ReversingLabs: Detection: 88%

Machine Learning detection for sample

Source: MGrYFpGLQ7.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.rundll32.exe.510000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 2.2.regsvr32.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.5f0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

Uses 32bit PE files

Source: MGrYFpGLQ7.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49819 version: TLS 1.2

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00C732BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_040832BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		3_2_040832BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047B32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		6_2_047B32BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BF32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		9_2_04BF32BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C032BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		12_2_04C032BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_043532BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		16_2_043532BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_067732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		18_2_067732BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04FD32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		21_2_04FD32BA

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49859 -> 13.225.29.132:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49859 -> 13.225.29.132:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49863 -> 13.225.29.132:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49907 -> 13.225.29.132:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49907 -> 13.225.29.132:80

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.msn.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /cookieconsentpub/v1/geo/location HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: geolocation.onetrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /lo/api/res/1.2/BWUYr.M5U6.kf035wsX8Lg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1pbmk7cT0xMDA-/https://s.yimg.com/av/ads/1621266752856-586.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: s.yimg.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/GCf_2BVR4BU/cjyHO8rEu0PLMD/ddrHkS9VDXWI2BqJDWdKp/yP_2BPG48oRDpm0g/SrPkMCydca7dHbV/D9P1tAQMBBq8SvLL_2/BTpaf4v7U/VLIzcVH0j4WxrbYHQOZI/wYP1aj2dECCu_2F_2BC/mIwNPWeBCD7IMCmF8HTTO6/vdW_2F0_2BicH/w8p9PjDD/HtrueVxg_2FcH01kfOOydSo/XvV_2FKbIAaOsHpHpe/wMhAw.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/U6TeZm2GqJwloJv5oZSeI/2t0wwSFx0OdeCqwq/a5th_2BJswZzpBo/iTJZVc_2BHgWPPB64R/K3cCyKXGA/pha07BC_2FbaaosXoWHU/mqeKc0qKA2IsvzCoLJ0/i_2FxmVXC6GOzmCalRHRBS/X4qBHSkzHz0Gv/sQEy9HR7/NTPicd5UJLmarL1TQsRZspC/zIbC4QSojh/SXfsKqnthINSBZ4Hv/INUqZbTg0z/T.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/GosV5rx1jUm_2/FeMYZexn/3AHfZUbwKtZ24NdOcSq0RlX/SFVlCboKYZ/q19iLR0UiFTMXXHua/7HDwQVQwW_2B/P2MZpE_2Fn2/TKqFG_2F5mAVKf/ACPvjzozYdfDpfYzdrt73/e9vTiEyeXLfMugv6/YOqbGPGETO_2FyR/6XOvuQnB29hcTxcqfB/1cP6Y9M6Q/pKhEyMS_2BB/ySEZOj.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.184.68:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.5:49819 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: MGrYFpGLQ7.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Tries to load missing DLLs

Source: C:\Windows\System32\loaddll32.exe	Section loaded: lpk.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msafd.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: @ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ? .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: > .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: = .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: < .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ; .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: : .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 9 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 8 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 7 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 6 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 5 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 4 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 3 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 2 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 1 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: 0 .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: - .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: , .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: + .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: * .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ) .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ( .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: & .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: % .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: $ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: # .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ' .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ! .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ~ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: } .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: | .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: { .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: f .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: e .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: c .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: b .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: a .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ` .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: _ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ^ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ] .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: [ .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: z .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: y .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: x .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: w .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: v .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: u .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: t .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: s .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: r .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: q .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: p .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: o .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: n .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: m .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: l .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: k .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: j .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: i .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: h .dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: g .dll			Jump to behavior

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005F21D4		0_2_005F21D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C7B0DC		0_2_00C7B0DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C75920		0_2_00C75920
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004021D4		2_2_004021D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005121D4		3_2_005121D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0408B0DC		3_2_0408B0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_04085920		3_2_04085920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047BB0DC		6_2_047BB0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047B5920		6_2_047B5920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BFB0DC		9_2_04BFB0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BF5920		9_2_04BF5920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C0B0DC		12_2_04C0B0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C05920		12_2_04C05920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0435B0DC		16_2_0435B0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_04355920		16_2_04355920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0677B0DC		18_2_0677B0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_06775920		18_2_06775920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04FDB0DC		21_2_04FDB0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04FD5920		21_2_04FD5920

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005F10BA NtMapViewOfSection,		0_2_005F10BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005F1A34 GetProcAddress,NtCreateSection,memset,		0_2_005F1A34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005F23F5 NtQueryVirtualMemory,		0_2_005F23F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C771B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_00C771B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C7B2FD NtQueryVirtualMemory,		0_2_00C7B2FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C2009C NtAllocateVirtualMemory,		0_2_00C2009C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C2029D NtProtectVirtualMemory,		0_2_00C2029D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C20066 NtAllocateVirtualMemory,		0_2_00C20066
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00401A34 GetProcAddress,NtCreateSection,memset,		2_2_00401A34
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004010BA NtMapViewOfSection,		2_2_004010BA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004023F5 NtQueryVirtualMemory,		2_2_004023F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00511A34 GetProcAddress,NtCreateSection,memset,		3_2_00511A34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005110BA NtMapViewOfSection,		3_2_005110BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005123F5 NtQueryVirtualMemory,		3_2_005123F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_040871B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_040871B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0408B2FD NtQueryVirtualMemory,		3_2_0408B2FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D0066 NtAllocateVirtualMemory,		3_2_005D0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D029D NtProtectVirtualMemory,		3_2_005D029D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D009C NtAllocateVirtualMemory,		3_2_005D009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047B71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		6_2_047B71B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047BB2FD NtQueryVirtualMemory,		6_2_047BB2FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BF71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		9_2_04BF71B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BFB2FD NtQueryVirtualMemory,		9_2_04BFB2FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C071B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		12_2_04C071B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C0B2FD NtQueryVirtualMemory,		12_2_04C0B2FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_043571B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		16_2_043571B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0435B2FD NtQueryVirtualMemory,		16_2_0435B2FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0098009C NtAllocateVirtualMemory,		16_2_0098009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0098029D NtProtectVirtualMemory,		16_2_0098029D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00980066 NtAllocateVirtualMemory,		16_2_00980066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_067771B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		18_2_067771B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_0677B2FD NtQueryVirtualMemory,		18_2_0677B2FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_045A0066 NtAllocateVirtualMemory,		18_2_045A0066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_045A009C NtAllocateVirtualMemory,		18_2_045A009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_045A029D NtProtectVirtualMemory,		18_2_045A029D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04FD71B9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		21_2_04FD71B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04FDB2FD NtQueryVirtualMemory,		21_2_04FDB2FD

Sample is known by Antivirus

Source: MGrYFpGLQ7.dll	Virustotal: Detection: 82%
Source: MGrYFpGLQ7.dll	Metadefender: Detection: 59%
Source: MGrYFpGLQ7.dll	ReversingLabs: Detection: 88%

PE file has an executable .text section and no other executable section

Source: MGrYFpGLQ7.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00C756A2 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00C756A2

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Bighearted
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Soaking
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Turnipy
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82952 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17414 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82954 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Watertight
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Dithery
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anhimae
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82976 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anostraca
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17438 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anaerobian
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83004 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Sparsile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllUnregisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17452 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83036 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17470 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Bighearted			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Soaking			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Turnipy			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Watertight			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Dithery			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anhimae			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anostraca			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Anaerobian			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,Sparsile			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MGrYFpGLQ7.dll,DllUnregisterServer			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82952 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17414 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82954 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:82976 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17438 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83004 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17452 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:83036 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4728 CREDAT:17470 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{97212EC2-1265-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCC71BE5E716F720A.TMP

Jump to behavior

Classification label

Source: classification engine

Classification label: mal88.troj.evad.winDLL@51/187@14/6

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Data Obfuscation:

PE file contains an invalid checksum

Source: MGrYFpGLQ7.dll

Static PE information: real checksum: 0x247b4 should be: 0x24148

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005F21C3 push ecx; ret		0_2_005F21D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_005F2170 push ecx; ret		0_2_005F2179
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C7B0CB push ecx; ret		0_2_00C7B0DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C7AD10 push ecx; ret		0_2_00C7AD19
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C2009C push dword ptr [ebp-000000D8h]; ret		0_2_00C20252
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C2009C push dword ptr [ebp-000000E0h]; ret		0_2_00C2029C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C2009C push dword ptr [esp+10h]; ret		0_2_00C203AB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C203AC push dword ptr [esp+0Ch]; ret		0_2_00C203BF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C203AC push dword ptr [esp+10h]; ret		0_2_00C20404
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C20066 push dword ptr [ebp-000000D8h]; ret		0_2_00C2009B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C20005 push dword ptr [ebp-000000D8h]; ret		0_2_00C20065
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_004021C3 push ecx; ret		2_2_004021D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_00402170 push ecx; ret		2_2_00402179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005121C3 push ecx; ret		3_2_005121D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00512170 push ecx; ret		3_2_00512179
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0408B0CB push ecx; ret		3_2_0408B0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0408AD10 push ecx; ret		3_2_0408AD19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D0066 push dword ptr [ebp-000000D8h]; ret		3_2_005D009B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D0005 push dword ptr [ebp-000000D8h]; ret		3_2_005D0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D009C push dword ptr [ebp-000000D8h]; ret		3_2_005D0252
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D009C push dword ptr [ebp-000000E0h]; ret		3_2_005D029C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D009C push dword ptr [esp+10h]; ret		3_2_005D03AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D03AC push dword ptr [esp+0Ch]; ret		3_2_005D03BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D03AC push dword ptr [esp+10h]; ret		3_2_005D0404
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047BB0CB push ecx; ret		6_2_047BB0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047BD341 pushfd ; retf		6_2_047BD342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047BAD10 push ecx; ret		6_2_047BAD19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BFB0CB push ecx; ret		9_2_04BFB0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BFAD10 push ecx; ret		9_2_04BFAD19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C0B0CB push ecx; ret		12_2_04C0B0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C0AD10 push ecx; ret		12_2_04C0AD19

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\MGrYFpGLQ7.dll

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\rundll32.exe

Stalling execution: Execution stalls by calling Sleep

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2620	Thread sleep count: 170 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2620	Thread sleep time: -85000s >= -30000s			Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Windows\SysWOW64\rundll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\loaddll32.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		0_2_00C732BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_040832BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		3_2_040832BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_047B32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		6_2_047B32BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_04BF32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		9_2_04BF32BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_04C032BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		12_2_04C032BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_043532BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		16_2_043532BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_067732BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		18_2_067732BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 21_2_04FD32BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,		21_2_04FD32BA

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C2009C mov eax, dword ptr fs:[00000030h]		0_2_00C2009C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C203AC mov eax, dword ptr fs:[00000030h]		0_2_00C203AC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00C20476 mov eax, dword ptr fs:[00000030h]		0_2_00C20476
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D0476 mov eax, dword ptr fs:[00000030h]		3_2_005D0476
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D009C mov eax, dword ptr fs:[00000030h]		3_2_005D009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_005D03AC mov eax, dword ptr fs:[00000030h]		3_2_005D03AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_0098009C mov eax, dword ptr fs:[00000030h]		16_2_0098009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_00980476 mov eax, dword ptr fs:[00000030h]		16_2_00980476
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_2_009803AC mov eax, dword ptr fs:[00000030h]		16_2_009803AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_045A0476 mov eax, dword ptr fs:[00000030h]		18_2_045A0476
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_045A009C mov eax, dword ptr fs:[00000030h]		18_2_045A009C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 18_2_045A03AC mov eax, dword ptr fs:[00000030h]		18_2_045A03AC

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\MGrYFpGLQ7.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.523347599.00000000011C0000.00000002.00020000.sdmp, regsvr32.exe, 00000002.00000002.525806638.0000000003620000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.524902002.0000000002BC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00C793D5 cpuid

0_2_00C793D5

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_005F179C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_005F179C

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_005F10FC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,wvsprintfA,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_005F10FC

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00C793D5 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00C793D5

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000015.00000003.355232631.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314377890.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391622099.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314521084.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355592572.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314475815.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367003924.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391468389.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370680495.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311090164.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313451317.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370551662.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391668872.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314245766.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391696489.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391496685.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355040596.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314318653.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311152381.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391727857.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311865061.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311345831.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391695930.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.311422020.0000000006CB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.370336241.0000000006AE8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311203958.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.313929901.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311769510.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311540194.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314268795.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355268021.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.361195316.00000000074A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391358945.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370621844.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311670564.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313872965.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391766298.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311984449.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.312268208.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314181933.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391634804.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313395188.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366812647.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355464241.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366846077.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370930604.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.528368895.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.525372552.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311633818.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.328237107.0000000005588000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.526965041.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366987894.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370755681.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.346412042.0000000006C48000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370579660.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314563024.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355144752.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366907200.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391423871.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.354973566.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313701626.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391783104.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391671709.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366961006.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311364814.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.366875687.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.313576458.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311042721.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391794887.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370911517.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.391520743.0000000003138000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.311282599.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000003.355518422.0000000007528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.310694636.00000000070D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.391596036.0000000007088000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.314078107.0000000004C88000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.314146839.0000000006878000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.311573394.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.370793730.0000000004D98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.527384744.0000000005538000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.367026517.00000000072A8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 3556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7000, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1496, type: MEMORYSTR