Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YUoxuUri8M.dll

Overview

General Information

Sample Name:YUoxuUri8M.dll
Original Sample Name:c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Analysis ID:1344807
MD5:88bb86494cb9411a9692f9c8e67ed32c
SHA1:82f8060575de96dc4edc4f7b02ec31ba7637fa03
SHA256:c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
Tags:dllransomware
Infos:

Detection

Qilin
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Qilin Ransomware
Antivirus / Scanner detection for submitted sample
Found Tor onion address
Contains functionalty to change the wallpaper
Found PSEXEC tool (often used for remote process execution)
Deletes shadow drive data (may be related to ransomware)
Contains functionality to clear event logs
May use bcdedit to modify the Windows boot settings
Uses 32bit PE files
Yara signature match
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Yara detected PsExec sysinternal tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 4108 cmdline: loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6020 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 732 cmdline: rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6604 cmdline: rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
YUoxuUri8M.dllJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
    YUoxuUri8M.dllINDICATOR_SUSPICOUS_EXE_References_VEEAMDetects executables containing many references to VEEAM. Observed in ransomwareunknown
    • 0x15c37f:$s1: veeamnfssvc
    • 0x15c681:$s1: veeamnfssvc
    • 0x15c38f:$s9: veeamtransportsvc
    • 0x15c6ac:$s9: veeamtransportsvc
    • 0x15c691:$s10: veeamdeploymentservice
    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
      00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
        00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
          Process Memory Space: loaddll32.exe PID: 4108JoeSecurity_QilinYara detected Qilin RansomwareJoe Security
            Process Memory Space: loaddll32.exe PID: 4108JoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
              Click to see the 4 entries
              SourceRuleDescriptionAuthorStrings
              3.2.rundll32.exe.6cc0f946.2.unpackJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
                0.2.loaddll32.exe.6ced8bbe.1.raw.unpackJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
                  3.2.rundll32.exe.6cc48bbe.1.raw.unpackJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
                    4.2.rundll32.exe.6cc0f946.1.unpackJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
                      0.2.loaddll32.exe.6ce9f946.2.unpackJoeSecurity_PsExecYara detected PsExec sysinternal toolJoe Security
                        Click to see the 10 entries
                        No Sigma rule has matched
                        No Snort rule has matched

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: YUoxuUri8M.dllReversingLabs: Detection: 68%
                        Source: YUoxuUri8M.dllVirustotal: Detection: 69%Perma Link
                        Source: YUoxuUri8M.dllAvira: detected
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD22640 BCryptGenRandom,0_2_6CD22640
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1B03B BCryptGenRandom,memcpy,BCryptGenRandom,BCryptGenRandom,memcpy,memcpy,memcpy,0_2_6CD1B03B
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDD3190 SetLastError,GetFullPathNameW,GetCurrentProcessId,BCryptGenRandom,0_2_6CDD3190
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD3F130 BCryptGenRandom,BCryptGenRandom,GetProcessHeap,HeapAlloc,0_2_6CD3F130
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8B03B BCryptGenRandom,memcpy,BCryptGenRandom,BCryptGenRandom,memcpy,memcpy,memcpy,3_2_6CA8B03B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB43190 SetLastError,GetFullPathNameW,GetCurrentProcessId,BCryptGenRandom,3_2_6CB43190
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAAF130 BCryptGenRandom,BCryptGenRandom,GetProcessHeap,HeapAlloc,3_2_6CAAF130
                        Source: loaddll32.exeBinary or memory string: { "public_rsa_pem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy5Bq0JhzTUuX8U9S66N4\nwb/vrE0ZPJDps80bF9R2n2875dWVToGkl8+GUTApoz1Mhaf+YF1OBd4h3cB53ZRB\ntbiOgt3onHpDXxf4ZJ+6RXZGJs7dSQ5nI2Kxtbw2TyhTcjcosBROYaDaZxOK6xJ/\ni5qW+n0/d2va
                        Source: YUoxuUri8M.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
                        Source: YUoxuUri8M.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
                        Source: Binary string: D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll

                        Spreading

                        barindex
                        Source: loaddll32.exeString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
                        Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
                        Source: rundll32.exeString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
                        Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
                        Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
                        Source: YUoxuUri8M.dllString found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDD1390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,0_2_6CDD1390
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB41390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,3_2_6CB41390
                        Source: C:\Windows\System32\loaddll32.exeCode function: 4x nop then push ebp0_2_6CD02FA0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then push ebp3_2_6CA72FA0

                        Networking

                        barindex
                        Source: loaddll32.exe, 00000000.00000002.1685944141.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: rundll32.exe, 00000003.00000002.1656357725.00000000007DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: YUoxuUri8M.dllString found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
                        Source: Yara matchFile source: YUoxuUri8M.dll, type: SAMPLE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6cc0f946.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6ced8bbe.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6cc48bbe.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.6cc0f946.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6ce9f946.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6ce9f946.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6cc0f946.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.6cc48bbe.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.6cc0f946.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR
                        Source: loaddll32.exe, rundll32.exeString found in binary or memory: http://www.microsoft.co
                        Source: YUoxuUri8M.dllString found in binary or memory: https://github.com/swsnr/gethostname.rs/issues
                        Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dllString found in binary or memory: https://www.sysinternals.com0
                        Source: rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp, YUoxuUri8M.dllString found in binary or memory: https://www.torproject.org/download/

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE28390 CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,SystemParametersInfoW,HeapFree,GetLastError,HeapFree,HeapFree,0_2_6CE28390
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB98390 CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,SystemParametersInfoW,HeapFree,GetLastError,HeapFree,HeapFree,3_2_6CB98390
                        Source: loaddll32.exeBinary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: rundll32.exeBinary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: YUoxuUri8M.dllBinary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: YUoxuUri8M.dllBinary or memory string: "cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
                        Source: C:\Windows\System32\loaddll32.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.0_2_6CE1F560
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.3_2_6CB8F560

                        System Summary

                        barindex
                        Source: YUoxuUri8M.dll, type: SAMPLEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                        Source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                        Source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                        Source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
                        Source: YUoxuUri8M.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
                        Source: YUoxuUri8M.dll, type: SAMPLEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                        Source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                        Source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                        Source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCEFCD00_2_6CCEFCD0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1288B0_2_6CD1288B
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCFCC900_2_6CCFCC90
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDFDCA00_2_6CDFDCA0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD20C400_2_6CD20C40
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE1C300_2_6CCE1C30
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD06DBB0_2_6CD06DBB
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD13DAF0_2_6CD13DAF
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE3D700_2_6CCE3D70
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD3AED00_2_6CD3AED0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCF3EC00_2_6CCF3EC0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD3FE900_2_6CD3FE90
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDA0E910_2_6CDA0E91
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCFDE840_2_6CCFDE84
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDA1EB00_2_6CDA1EB0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD36EA00_2_6CD36EA0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD0CE700_2_6CD0CE70
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE2DE500_2_6CE2DE50
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCECFF00_2_6CCECFF0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE3FB00_2_6CCE3FB0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDA4F400_2_6CDA4F40
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD00F3E0_2_6CD00F3E
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE38800_2_6CCE3880
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD0A8A00_2_6CD0A8A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1A8A00_2_6CD1A8A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDE58100_2_6CDE5810
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD208010_2_6CD20801
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCF58210_2_6CCF5821
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD3B9A00_2_6CD3B9A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD089100_2_6CD08910
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD18AD00_2_6CD18AD0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDE7AD00_2_6CDE7AD0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE3AC00_2_6CCE3AC0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1FAB00_2_6CD1FAB0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCEBA400_2_6CCEBA40
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD38A600_2_6CD38A60
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE2BB100_2_6CE2BB10
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDE5B200_2_6CDE5B20
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDA14FE0_2_6CDA14FE
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCF64A00_2_6CCF64A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCFF4400_2_6CCFF440
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDA55B00_2_6CDA55B0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1F6F00_2_6CD1F6F0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDEB6400_2_6CDEB640
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD216700_2_6CD21670
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCF57F00_2_6CCF57F0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD047900_2_6CD04790
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDCA0C00_2_6CDCA0C0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCFD0E00_2_6CCFD0E0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDC20900_2_6CDC2090
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD220800_2_6CD22080
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1F0A00_2_6CD1F0A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD2C0A00_2_6CD2C0A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE50B00_2_6CCE50B0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCF70400_2_6CCF7040
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1B03B0_2_6CD1B03B
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD950200_2_6CD95020
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD131540_2_6CD13154
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD181300_2_6CD18130
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDA21300_2_6CDA2130
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD1D1250_2_6CD1D125
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD3F2600_2_6CD3F260
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD383E00_2_6CD383E0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF53E00_2_6CDF53E0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDF23A00_2_6CDF23A0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD083100_2_6CD08310
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD393000_2_6CD39300
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCF83100_2_6CCF8310
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8288B3_2_6CA8288B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB6DCA03_2_6CB6DCA0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA6CC903_2_6CA6CC90
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA5FCD03_2_6CA5FCD0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA51C303_2_6CA51C30
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA90C403_2_6CA90C40
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA83DAF3_2_6CA83DAF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA76DBB3_2_6CA76DBB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA53D703_2_6CA53D70
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB11EB03_2_6CB11EB0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAA6EA03_2_6CAA6EA0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB10E913_2_6CB10E91
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA6DE843_2_6CA6DE84
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAAFE903_2_6CAAFE90
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA63EC03_2_6CA63EC0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAAAED03_2_6CAAAED0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA7CE703_2_6CA7CE70
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB9DE503_2_6CB9DE50
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA53FB03_2_6CA53FB0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA5CFF03_2_6CA5CFF0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA70F3E3_2_6CA70F3E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB14F403_2_6CB14F40
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA7A8A03_2_6CA7A8A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8A8A03_2_6CA8A8A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA538803_2_6CA53880
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB558103_2_6CB55810
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA908013_2_6CA90801
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA6581B3_2_6CA6581B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAAB9A03_2_6CAAB9A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA789103_2_6CA78910
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8FAB03_2_6CA8FAB0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB57AD03_2_6CB57AD0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA53AC03_2_6CA53AC0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAA8A603_2_6CAA8A60
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA5BA403_2_6CA5BA40
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB55B203_2_6CB55B20
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB9BB103_2_6CB9BB10
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA664A03_2_6CA664A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB114FE3_2_6CB114FE
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA6F4403_2_6CA6F440
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB155B03_2_6CB155B0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB105703_2_6CB10570
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8F6F03_2_6CA8F6F0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA916703_2_6CA91670
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB5B6403_2_6CB5B640
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA747903_2_6CA74790
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA657F03_2_6CA657F0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8F0A03_2_6CA8F0A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA9C0A03_2_6CA9C0A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA550B03_2_6CA550B0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB320903_2_6CB32090
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA6D0E03_2_6CA6D0E0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB3A0C03_2_6CB3A0C0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB050203_2_6CB05020
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8B03B3_2_6CA8B03B
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA670403_2_6CA67040
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB121303_2_6CB12130
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA8D1253_2_6CA8D125
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA881303_2_6CA88130
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA831543_2_6CA83154
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAAF2603_2_6CAAF260
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB623A03_2_6CB623A0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAA83E03_2_6CAA83E0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB653E03_2_6CB653E0
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CAA93003_2_6CAA9300
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA683103_2_6CA68310
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA783103_2_6CA78310
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6CCF9A00 appears 74 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6CCF9900 appears 98 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6CD21390 appears 40 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6CCF9C20 appears 85 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6CCFB140 appears 39 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CA69C20 appears 88 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CA91390 appears 40 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CA6B140 appears 34 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CA69A00 appears 69 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6CA69900 appears 92 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDD1950 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,NtWriteFile,WaitForSingleObject,0_2_6CDD1950
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDD0E50: DeviceIoControl,GetLastError,CloseHandle,GetProcessHeap,HeapAlloc,memcpy,HeapFree,0_2_6CDD0E50
                        Source: YUoxuUri8M.dllBinary or memory string: OriginalFilenamepsexec.cH vs YUoxuUri8M.dll
                        Source: YUoxuUri8M.dllBinary or memory string: OriginalFilenamepsexesvc.exeH vs YUoxuUri8M.dll
                        Source: YUoxuUri8M.dllReversingLabs: Detection: 68%
                        Source: YUoxuUri8M.dllVirustotal: Detection: 69%
                        Source: YUoxuUri8M.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll"
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMainJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE28210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,GetLastError,CloseHandle,0_2_6CE28210
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB98210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,GetLastError,CloseHandle,3_2_6CB98210
                        Source: YUoxuUri8M.dllBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServerSeTcbPrivilege"%s" %sNetIsServiceAccountnetapi32.dll_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}NT AUTHORITYNT SERVICECreateRestrictedTokenwinsta0Winlogondefaultwinsta0\winlogonwinsta0\defaultWow64DisableWow64FsRedirectionKernel32.dll%s.exe%%systemroot%%\PSEXEC-%s-%08X.key%systemroot%failed to readsecure: %d
                        Source: YUoxuUri8M.dllBinary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.
                        Source: classification engineClassification label: mal92.rans.spre.evad.winDLL@8/0@0/0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CDEACE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,0_2_6CDEACE0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD05D04 GlobalMemoryStatusEx,GetPerformanceInfo,GetDiskFreeSpaceExW,0_2_6CD05D04
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
                        Source: loaddll32.exeString found in binary or memory: /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/algorithms/add.rs
                        Source: loaddll32.exeString found in binary or memory: %s -install to install the service
                        Source: rundll32.exeString found in binary or memory: /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/algorithms/add.rs
                        Source: rundll32.exeString found in binary or memory: %s -install to install the service
                        Source: YUoxuUri8M.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: YUoxuUri8M.dllStatic file information: File size 2845184 > 1048576
                        Source: YUoxuUri8M.dllStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x159400
                        Source: YUoxuUri8M.dllStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x127800
                        Source: YUoxuUri8M.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
                        Source: Binary string: D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CE2F980 push dword ptr [eax+04h]; ret 0_2_6CE2F9AF
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CD00A63 push 016CE41Ch; iretd 0_2_6CD00A6C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CB9F980 push dword ptr [eax+04h]; ret 3_2_6CB9F9AF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6CA70A63 push 016CBB1Ch; iretd 3_2_6CA70A6C
                        Source: YUoxuUri8M.dllStatic PE information: section name: .eh_fram
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CCE1400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,0_2_6CCE1400
                        Source: YUoxuUri8M