The malware extracts and drops the file msgina32.dll onto disk from a
resource section named
The malware installs msgina32.dll as a GINA DLL by adding it to the
NT\CurrentVersion\Winlogon\GinaDLL, which causes the DLL to be loaded after system
The malware steals user credentials by performing GINA interception. The msgina32.dll file is able to intercept all user credentials submitted to the system for authentication.
The malware logs stolen credentials to %SystemRoot%\System32\msutil32.sys. The username, domain, and password are logged to the file with a timestamp.
Once the malware is dropped and installed, there must be a system reboot for the GINA interception ...