Edit tour

Windows Analysis Report
YUoxuUri8M.dll

Overview

General Information

Sample Name:	YUoxuUri8M.dll
Original Sample Name:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Analysis ID:	1344807
MD5:	88bb86494cb9411a9692f9c8e67ed32c
SHA1:	82f8060575de96dc4edc4f7b02ec31ba7637fa03
SHA256:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
Tags:	dllransomware
Infos:

Detection

Qilin

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Qilin Ransomware

Antivirus / Scanner detection for submitted sample

Found Tor onion address

Contains functionalty to change the wallpaper

Found PSEXEC tool (often used for remote process execution)

Deletes shadow drive data (may be related to ransomware)

Contains functionality to clear event logs

May use bcdedit to modify the Windows boot settings

Uses 32bit PE files

Yara signature match

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Yara detected PsExec sysinternal tool

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4108 cmdline: loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6020 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 732 cmdline: rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6604 cmdline: rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AgendaCrypt, Qilin	Ransomware written in Go.	No Attribution	https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE54L7v https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/new-golang-ransomware-agenda-customizes-attacks/IOCs-blog-New%20Golang%20Ransomware%20Agenda%20Customizes%20Attacks.txt https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
YUoxuUri8M.dll	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
YUoxuUri8M.dll	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Process Memory Space: loaddll32.exe PID: 4108	JoeSecurity_Qilin	Yara detected Qilin Ransomware	Joe Security
Process Memory Space: loaddll32.exe PID: 4108	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Process Memory Space: rundll32.exe PID: 6604	JoeSecurity_Qilin	Yara detected Qilin Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 6604	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Process Memory Space: rundll32.exe PID: 732	JoeSecurity_Qilin	Yara detected Qilin Ransomware	Joe Security
Process Memory Space: rundll32.exe PID: 732	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.6cc0f946.2.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6ced8bbe.1.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6cc48bbe.1.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6cc0f946.1.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6ce9f946.2.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6ce9f946.2.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6cc0f946.2.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6cc48bbe.2.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6cc0f946.1.raw.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6ca50000.0.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
3.2.rundll32.exe.6ca50000.0.unpack	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice
0.2.loaddll32.exe.6cce0000.0.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
0.2.loaddll32.exe.6cce0000.0.unpack	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice
4.2.rundll32.exe.6ca50000.0.unpack	JoeSecurity_PsExec	Yara detected PsExec sysinternal tool	Joe Security
4.2.rundll32.exe.6ca50000.0.unpack	INDICATOR_SUSPICOUS_EXE_References_VEEAM	Detects executables containing many references to VEEAM. Observed in ransomware	unknown	0x15c37f:$s1: veeamnfssvc 0x15c681:$s1: veeamnfssvc 0x15c38f:$s9: veeamtransportsvc 0x15c6ac:$s9: veeamtransportsvc 0x15c691:$s10: veeamdeploymentservice
Click to see the 10 entries

Binary or memory string: { "public_rsa_pem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy5Bq0JhzTUuX8U9S66N4\nwb/vrE0ZPJDps80bF9R2n2875dWVToGkl8+GUTApoz1Mhaf+YF1OBd4h3cB53ZRB\ntbiOgt3onHpDXxf4ZJ+6RXZGJs7dSQ5nI2Kxtbw2TyhTcjcosBROYaDaZxOK6xJ/\ni5qW+n0/d2va

Source: YUoxuUri8M.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: YUoxuUri8M.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
Source:	Binary string: D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll

Spreading

Found PSEXEC tool (often used for remote process execution)

Source: loaddll32.exe	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: rundll32.exe	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console
Source: YUoxuUri8M.dll	String found in binary or memory: PsExec executes a program on a remote system, where remotely executed console

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD1390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		0_2_6CDD1390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB41390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		3_2_6CB41390

Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then push ebp		0_2_6CD02FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then push ebp		3_2_6CA72FA0

Networking

Found Tor onion address

Source: loaddll32.exe, 00000000.00000002.1685944141.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000003.00000002.1656357725.00000000007DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",
Source: YUoxuUri8M.dll	String found in binary or memory: "note": "-- Qilin \r\r\n\r\r\nYour network/system was encrypted. \r\r\nEncrypted files have new extension. \r\r\n\r\r\n-- Compromising and sensitive data \r\r\n\r\r\nWe have downloaded compromising and sensitive data from you system/network \r\r\nIf you refuse to communicate with us and we do not come to an agreement, your data will be published. \r\r\nData includes: \r\r\n- Employees personal data, CVs, DL , SSN. \r\r\n- Complete network map including credentials for local and remote services. \r\r\n- Financial information including clients data, bills, budgets, annual reports, bank statements. \r\r\n- Complete datagrams/schemas/drawings for manufacturing in solidworks format \r\r\n- And more... \r\r\n\r\r\n-- Warning \r\r\n\r\r\n1) If you modify files - our decrypt software won't able to recover data \r\r\n2) If you use third party software - you can damage/modify files (see item 1) \r\r\n3) You need cipher key / our decrypt software to restore you files. \r\r\n4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. \r\r\n\r\r\n-- Recovery \r\r\n\r\r\n1) Download tor browser: https://www.torproject.org/download/ \r\r\n2) Go to domain \r\r\n3) Enter credentials-- Credentials \r\n\r\nExtension: feGDg5BHWw \r\nDomain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion \r\nlogin: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 \r\npassword:",

Source: Yara match	File source: YUoxuUri8M.dll, type: SAMPLE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ced8bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc48bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc48bbe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR

Source: loaddll32.exe, rundll32.exe	String found in binary or memory: http://www.microsoft.co
Source: YUoxuUri8M.dll	String found in binary or memory: https://github.com/swsnr/gethostname.rs/issues
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll	String found in binary or memory: https://www.sysinternals.com0
Source: rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp, YUoxuUri8M.dll	String found in binary or memory: https://www.torproject.org/download/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Qilin Ransomware

Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR

Contains functionalty to change the wallpaper

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE28390 CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,SystemParametersInfoW,HeapFree,GetLastError,HeapFree,HeapFree,		0_2_6CE28390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB98390 CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,SystemParametersInfoW,HeapFree,GetLastError,HeapFree,HeapFree,		3_2_6CB98390

Deletes shadow drive data (may be related to ransomware)

Source: loaddll32.exe	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: l"cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: YUoxuUri8M.dll	Binary or memory string: cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted
Source: YUoxuUri8M.dll	Binary or memory string: "cmdvssadmin.exe delete shadows /all /quiet/C[INFO] WOW64 redirection reverted

Contains functionality to clear event logs

Source: C:\Windows\System32\loaddll32.exe	Code function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.		0_2_6CE1F560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"[WARNING] Cannot clean event logs[INFO] Event logs purger process spawned.		3_2_6CB8F560

System Summary

Malicious sample detected (through community Yara rule)

Source: YUoxuUri8M.dll, type: SAMPLE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
Source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
Source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown
Source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing many references to VEEAM. Observed in ransomware Author: unknown

Source: YUoxuUri8M.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: YUoxuUri8M.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
Source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
Source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware
Source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICOUS_EXE_References_VEEAM description = Detects executables containing many references to VEEAM. Observed in ransomware

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCEFCD0	0_2_6CCEFCD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1288B	0_2_6CD1288B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFCC90	0_2_6CCFCC90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDFDCA0	0_2_6CDFDCA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD20C40	0_2_6CD20C40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE1C30	0_2_6CCE1C30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD06DBB	0_2_6CD06DBB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD13DAF	0_2_6CD13DAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3D70	0_2_6CCE3D70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3AED0	0_2_6CD3AED0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF3EC0	0_2_6CCF3EC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3FE90	0_2_6CD3FE90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA0E91	0_2_6CDA0E91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFDE84	0_2_6CCFDE84
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA1EB0	0_2_6CDA1EB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD36EA0	0_2_6CD36EA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD0CE70	0_2_6CD0CE70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE2DE50	0_2_6CE2DE50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCECFF0	0_2_6CCECFF0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3FB0	0_2_6CCE3FB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA4F40	0_2_6CDA4F40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD00F3E	0_2_6CD00F3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3880	0_2_6CCE3880
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD0A8A0	0_2_6CD0A8A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1A8A0	0_2_6CD1A8A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDE5810	0_2_6CDE5810
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD20801	0_2_6CD20801
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF5821	0_2_6CCF5821
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3B9A0	0_2_6CD3B9A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD08910	0_2_6CD08910
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD18AD0	0_2_6CD18AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDE7AD0	0_2_6CDE7AD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE3AC0	0_2_6CCE3AC0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1FAB0	0_2_6CD1FAB0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCEBA40	0_2_6CCEBA40
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD38A60	0_2_6CD38A60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE2BB10	0_2_6CE2BB10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDE5B20	0_2_6CDE5B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA14FE	0_2_6CDA14FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF64A0	0_2_6CCF64A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFF440	0_2_6CCFF440
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA55B0	0_2_6CDA55B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1F6F0	0_2_6CD1F6F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDEB640	0_2_6CDEB640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD21670	0_2_6CD21670
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF57F0	0_2_6CCF57F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD04790	0_2_6CD04790
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDCA0C0	0_2_6CDCA0C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCFD0E0	0_2_6CCFD0E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDC2090	0_2_6CDC2090
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD22080	0_2_6CD22080
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1F0A0	0_2_6CD1F0A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD2C0A0	0_2_6CD2C0A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCE50B0	0_2_6CCE50B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF7040	0_2_6CCF7040
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1B03B	0_2_6CD1B03B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD95020	0_2_6CD95020
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD13154	0_2_6CD13154
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD18130	0_2_6CD18130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDA2130	0_2_6CDA2130
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1D125	0_2_6CD1D125
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3F260	0_2_6CD3F260
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD383E0	0_2_6CD383E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDF53E0	0_2_6CDF53E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDF23A0	0_2_6CDF23A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD08310	0_2_6CD08310
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD39300	0_2_6CD39300
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CCF8310	0_2_6CCF8310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8288B	3_2_6CA8288B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB6DCA0	3_2_6CB6DCA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6CC90	3_2_6CA6CC90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA5FCD0	3_2_6CA5FCD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA51C30	3_2_6CA51C30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA90C40	3_2_6CA90C40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA83DAF	3_2_6CA83DAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA76DBB	3_2_6CA76DBB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53D70	3_2_6CA53D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB11EB0	3_2_6CB11EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA6EA0	3_2_6CAA6EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB10E91	3_2_6CB10E91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6DE84	3_2_6CA6DE84
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAFE90	3_2_6CAAFE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA63EC0	3_2_6CA63EC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAAED0	3_2_6CAAAED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA7CE70	3_2_6CA7CE70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB9DE50	3_2_6CB9DE50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53FB0	3_2_6CA53FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA5CFF0	3_2_6CA5CFF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA70F3E	3_2_6CA70F3E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB14F40	3_2_6CB14F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA7A8A0	3_2_6CA7A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8A8A0	3_2_6CA8A8A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53880	3_2_6CA53880
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB55810	3_2_6CB55810
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA90801	3_2_6CA90801
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6581B	3_2_6CA6581B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAB9A0	3_2_6CAAB9A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA78910	3_2_6CA78910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8FAB0	3_2_6CA8FAB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB57AD0	3_2_6CB57AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA53AC0	3_2_6CA53AC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA8A60	3_2_6CAA8A60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA5BA40	3_2_6CA5BA40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB55B20	3_2_6CB55B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB9BB10	3_2_6CB9BB10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA664A0	3_2_6CA664A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB114FE	3_2_6CB114FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6F440	3_2_6CA6F440
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB155B0	3_2_6CB155B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB10570	3_2_6CB10570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8F6F0	3_2_6CA8F6F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA91670	3_2_6CA91670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB5B640	3_2_6CB5B640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA74790	3_2_6CA74790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA657F0	3_2_6CA657F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8F0A0	3_2_6CA8F0A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA9C0A0	3_2_6CA9C0A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA550B0	3_2_6CA550B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB32090	3_2_6CB32090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA6D0E0	3_2_6CA6D0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB3A0C0	3_2_6CB3A0C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB05020	3_2_6CB05020
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8B03B	3_2_6CA8B03B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA67040	3_2_6CA67040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB12130	3_2_6CB12130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8D125	3_2_6CA8D125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA88130	3_2_6CA88130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA83154	3_2_6CA83154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAF260	3_2_6CAAF260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB623A0	3_2_6CB623A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA83E0	3_2_6CAA83E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB653E0	3_2_6CB653E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAA9300	3_2_6CAA9300
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA68310	3_2_6CA68310
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA78310	3_2_6CA78310

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCF9A00 appears 74 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCF9900 appears 98 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CD21390 appears 40 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCF9C20 appears 85 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6CCFB140 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA69C20 appears 88 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA91390 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA6B140 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA69A00 appears 69 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6CA69900 appears 92 times

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDD1950 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,NtWriteFile,WaitForSingleObject,

0_2_6CDD1950

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDD0E50: DeviceIoControl,GetLastError,CloseHandle,GetProcessHeap,HeapAlloc,memcpy,HeapFree,

0_2_6CDD0E50

Source: YUoxuUri8M.dll	Binary or memory string: OriginalFilenamepsexec.cH vs YUoxuUri8M.dll
Source: YUoxuUri8M.dll	Binary or memory string: OriginalFilenamepsexesvc.exeH vs YUoxuUri8M.dll

Source: YUoxuUri8M.dll	ReversingLabs: Detection: 68%
Source: YUoxuUri8M.dll	Virustotal: Detection: 69%

Source: YUoxuUri8M.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE28210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,GetLastError,CloseHandle,		0_2_6CE28210
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB98210 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLastError,GetLastError,CloseHandle,		3_2_6CB98210

Source: YUoxuUri8M.dll	Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\Srv2\Device\LanmanServerSeTcbPrivilege"%s" %sNetIsServiceAccountnetapi32.dll_SA_{262E99C9-6160-4871-ACEC-4E61736B6F21}NT AUTHORITYNT SERVICECreateRestrictedTokenwinsta0Winlogondefaultwinsta0\winlogonwinsta0\defaultWow64DisableWow64FsRedirectionKernel32.dll%s.exe%%systemroot%%\PSEXEC-%s-%08X.key%systemroot%failed to readsecure: %d
Source: YUoxuUri8M.dll	Binary string: Sysinternals RocksRtlNtStatusToDosErrorntdll.dllRtlInitUnicodeStringNtOpenFileNtFsControlFile\Device\LanmanRedirector\%s\ipc$Use PsKill to terminate the remotely running program.

Source: classification engine

Classification label: mal92.rans.spre.evad.winDLL@8/0@0/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CDEACE0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,

0_2_6CDEACE0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CD05D04 GlobalMemoryStatusEx,GetPerformanceInfo,GetDiskFreeSpaceExW,

0_2_6CD05D04

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03

Source: loaddll32.exe	String found in binary or memory: /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/algorithms/add.rs
Source: loaddll32.exe	String found in binary or memory: %s -install to install the service
Source: rundll32.exe	String found in binary or memory: /usr/local/cargo/registry/src/index.crates.io-6f17d22bba15001f/num-bigint-dig-0.8.1/src/algorithms/add.rs
Source: rundll32.exe	String found in binary or memory: %s -install to install the service

Source: YUoxuUri8M.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: YUoxuUri8M.dll

Static file information: File size 2845184 > 1048576

Source: YUoxuUri8M.dll	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x159400
Source: YUoxuUri8M.dll	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x127800

Source: YUoxuUri8M.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\a\1\s\psexec\exe\Win32\Release\psexec.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll
Source:	Binary string: D:\a\1\s\psexec\svc\Win32\Release\psexesvc.pdb source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CE2F980 push dword ptr [eax+04h]; ret	0_2_6CE2F9AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD00A63 push 016CE41Ch; iretd	0_2_6CD00A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB9F980 push dword ptr [eax+04h]; ret	3_2_6CB9F9AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA70A63 push 016CBB1Ch; iretd	3_2_6CA70A6C

Source: YUoxuUri8M.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CCE1400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6CCE1400

Source: YUoxuUri8M.dll

Binary or memory string: /set {current} safeboot networkrunasBCDEdit.exeerror creating cstringsaferunner-main/src/tools.rs

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 0.5 %

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CD0DDE7 HeapAlloc,GetProcessHeap,HeapAlloc,memcpy,HeapFree,HeapFree,GetSystemInfo,memcmp,HeapFree,memcpy,GetProcessHeap,HeapAlloc,AcquireSRWLockExclusive,HeapAlloc,memcpy,memcpy,

0_2_6CD0DDE7

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD1390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		0_2_6CDD1390
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB41390 CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,HeapFree,		3_2_6CB41390

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CCE1400 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_6CCE1400

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CCEFCD0 GetProcessHeap,HeapAlloc,RtlAllocateHeap,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,HeapFree,memcpy,HeapFree,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

0_2_6CCEFCD0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CD40C90 cpuid

0_2_6CD40C90

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6CE16B20 GetUserNameW,GetLastError,GetProcessHeap,HeapAlloc,GetUserNameW,GetLastError,GetProcessHeap,HeapAlloc,memcpy,HeapFree,HeapFree,

0_2_6CE16B20

Source: Yara match	File source: YUoxuUri8M.dll, type: SAMPLE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ced8bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc48bbe.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ce9f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6cc0f946.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc48bbe.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6cc0f946.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6cce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6ca50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 732, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	1 Defacement	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Service Execution	Boot or Logon Initialization Scripts	11 Process Injection	11 Process Injection	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Proxy	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Owner/User Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Indicator Removal	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YUoxuUri8M.dll	68%	ReversingLabs	Win32.Trojan.Generic
YUoxuUri8M.dll	100%	Avira	TR/Ransom.xmbad
YUoxuUri8M.dll	69%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://www.sysinternals.com0	0%	Avira URL Cloud	safe
http://www.microsoft.co	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.torproject.org/download/	rundll32.exe, 00000004.00000002.1656388663.000000000314A000.00000004.00000020.00020000.00000000.sdmp, YUoxuUri8M.dll	false		high
https://www.sysinternals.com0	loaddll32.exe, 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, YUoxuUri8M.dll	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	loaddll32.exe, rundll32.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/swsnr/gethostname.rs/issues	YUoxuUri8M.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1344807
Start date and time:	2023-11-19 19:11:05 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	YUoxuUri8M.dll renamed because original name is a hash value
Original Sample Name:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40.dll
Detection:	MAL
Classification:	mal92.rans.spre.evad.winDLL@8/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 81% Number of executed functions: 17 Number of non-executed functions: 203
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.815416502528244
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YUoxuUri8M.dll
File size:	2'845'184 bytes
MD5:	88bb86494cb9411a9692f9c8e67ed32c
SHA1:	82f8060575de96dc4edc4f7b02ec31ba7637fa03
SHA256:	c26ce932f3609ecd710a3a1ca7f7b96f1b103a11b49a86e9423e03664eaabd40
SHA512:	670acd30005be75bbced78a505b4f0ded7f39cb4f4d55f9b09f31964d20bebb62908d40da4c9a103c87e83f4b31e0435ffd9ec78ee7a585c216e5551e0c67ebb
SSDEEP:	49152:MxmXXxQjiQspGXtwB0pnkF7TosNjLSq6Pq3Ecv9dsiPTg3pg:DQeQVmB0pni7TosNKq6adsi
TLSH:	36D5BF06FD439A79C5BF1470247EB379AD399C240525CEA7D7C88DB0BA2E7412D8872E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...".Vd...........#...#.....f+...............................................+.......+...@... .......................*.L..

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100013b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6456B622 [Sat May 6 20:18:42 2023 UTC]
TLS Callbacks:	0x100f9450, 0x1014ee30, 0x1014ede0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f846e17badb830abe49083e4c5bb1447

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [102AB18Ch], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007F8264CDFD67h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 102AB000h
mov dword ptr [esp+04h], eax
call 00007F8264E2D6DEh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 1015C000h
call dword ptr [102AD6C4h]
sub esp, 04h
test eax, eax
je 00007F8264CDFF85h
mov ebx, eax
mov dword ptr [esp], 1015C000h
call dword ptr [102AD720h]
mov edi, dword ptr [102AD6D0h]
sub esp, 04h
mov dword ptr [102AB010h], eax
mov dword ptr [esp+04h], 1015C013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 1015C029h
mov dword ptr [esp], ebx
call edi
mov dword ptr [1015B000h], eax
sub esp, 08h
test esi, esi
je 00007F8264CDFF23h
mov dword ptr [esp+04h], 102AB014h
mov dword ptr [esp], 10284000h
call esi
mov dword ptr [eax+eax], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2ac000	0x4c	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ad000	0x1bc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2b1000	0xd30c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x283618	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2ad510	0x380	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x15932c	0x159400	False	0.5236807566980449	data	6.51300791744888	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x15b000	0x118	0x200	False	0.208984375	data	1.5302315334928558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x15c000	0x127744	0x127800	False	0.5858267898688664	data	6.897829471292023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0x284000	0x26118	0x26200	False	0.3621734118852459	data	5.130901619963026	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x2ab000	0x1bc	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x2ac000	0x4c	0x200	False	0.140625	data	0.8918205656738996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x2ad000	0x1bc8	0x1c00	False	0.35044642857142855	data	5.149053093278306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x2af000	0x34	0x200	False	0.076171875	data	0.3320250245953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x2b0000	0x8	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x2b1000	0xd30c	0xd400	False	0.6353368219339622	data	6.597160861109742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
IPHLPAPI.DLL	FreeMibTable, GetAdaptersAddresses, GetIfEntry2, GetIfTable2
KERNEL32.dll	CreateSemaphoreW, DeleteCriticalSection, EnterCriticalSection, InitializeCriticalSection, LeaveCriticalSection, ReleaseSemaphore, VirtualProtect, VirtualQuery
msvcrt.dll	_amsg_exit, _initterm, _iob, _lock, _unlock, abort, calloc, free, fwrite, malloc, memcmp, memcpy, memmove, memset, realloc, strlen, strncmp, vfprintf
ntdll.dll	NtReadFile, NtWriteFile
PSAPI.DLL	EnumProcesses, GetModuleFileNameExW, GetPerformanceInfo, GetProcessImageFileNameW
advapi32.dll	AdjustTokenPrivileges, ChangeServiceConfigW, ControlService, CopySid, EnumDependentServicesW, EnumServicesStatusW, GetLengthSid, GetTokenInformation, GetUserNameW, IsValidSid, LookupAccountSidW, LookupPrivilegeValueA, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceStatusEx, RegCloseKey, RegOpenKeyExA, RegOpenKeyExW, RegSetValueExA, RegSetValueExW, SystemFunction036
bcrypt.dll	BCryptGenRandom
kernel32.dll	AcquireSRWLockExclusive, AcquireSRWLockShared, CancelIo, CloseHandle, CompareStringOrdinal, CreateDirectoryW, CreateEventW, CreateFileMappingA, CreateFileW, CreateMutexA, CreateNamedPipeW, CreateProcessW, CreateThread, CreateToolhelp32Snapshot, DeleteFileW, DeviceIoControl, DuplicateHandle, ExitProcess, FindClose, FindFirstFileW, FindNextFileW, FormatMessageW, FreeEnvironmentStringsW, FreeLibrary, GetCommandLineW, GetComputerNameExW, GetConsoleMode, GetCurrentDirectoryW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetDiskFreeSpaceExW, GetDriveTypeW, GetEnvironmentStringsW, GetEnvironmentVariableW, GetExitCodeProcess, GetFileAttributesW, GetFileInformationByHandle, GetFileInformationByHandleEx, GetFullPathNameW, GetLastError, GetLogicalDrives, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleW, GetOverlappedResult, GetProcAddress, GetProcessHeap, GetProcessIoCounters, GetProcessTimes, GetStdHandle, GetSystemDirectoryW, GetSystemInfo, GetSystemTimeAsFileTime, GetSystemTimes, GetTempPathW, GetTickCount64, GetVolumeInformationW, GetWindowsDirectoryW, GlobalMemoryStatusEx, HeapAlloc, HeapFree, HeapReAlloc, InitOnceBeginInitialize, InitOnceComplete, IsWow64Process, LoadLibraryA, MapViewOfFile, Module32FirstW, Module32NextW, MoveFileExW, MultiByteToWideChar, OpenProcess, QueryPerformanceCounter, QueryPerformanceFrequency, ReadFile, ReadFileEx, ReleaseMutex, ReleaseSRWLockExclusive, ReleaseSRWLockShared, RtlCaptureContext, SetFileAttributesW, SetFileInformationByHandle, SetLastError, SetThreadStackGuarantee, Sleep, SleepConditionVariableSRW, SleepEx, SwitchToThread, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnmapViewOfFile, WaitForMultipleObjects, WaitForSingleObject, WaitForSingleObjectEx, WakeAllConditionVariable, WakeConditionVariable, Wow64DisableWow64FsRedirection, Wow64RevertWow64FsRedirection, WriteConsoleW, WriteFileEx
netapi32.dll	NetApiBufferFree, NetShareEnum, NetUserEnum, NetUserGetInfo, NetUserGetLocalGroups, NetUserSetInfo
ntdll.dll	NtCreateFile, NtQuerySystemInformation, RtlNtStatusToDosError
ole32.dll	CoCreateInstance, CoInitializeEx, CoInitializeSecurity, CoSetProxyBlanket, CoUninitialize
oleaut32.dll	GetErrorInfo, SysAllocString, SysFreeString, SysStringLen, VariantClear
pdh.dll	PdhAddEnglishCounterW, PdhCloseQuery, PdhCollectQueryData, PdhGetFormattedCounterValue, PdhOpenQueryA, PdhRemoveCounter
powrprof.dll	CallNtPowerInformation
rstrtmgr.dll	RmEndSession, RmGetList, RmRegisterResources, RmStartSession
secur32.dll	LsaEnumerateLogonSessions, LsaFreeReturnBuffer, LsaGetLogonSessionData
shell32.dll	ShellExecuteA
user32.dll	ExitWindowsEx, SystemParametersInfoW
ws2_32.dll	WSACleanup, WSAGetLastError, WSAStartup, freeaddrinfo, getaddrinfo

Exports

Name	Ordinal	Address
DllMain	1	0x10032630

Target ID:	0
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll"
Imagebase:	0x560000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: 00000000.00000002.1686142666.000000006CE3C000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\YUoxuUri8M.dll,DllMain
Imagebase:	0xb90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: 00000003.00000002.1656593913.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	19:11:54
Start date:	19/11/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\YUoxuUri8M.dll",#1
Imagebase:	0xb90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PsExec, Description: Yara detected PsExec sysinternal tool, Source: 00000004.00000002.1656581433.000000006CBAC000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD22640 BCryptGenRandom,	0_2_6CD22640
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD1B03B BCryptGenRandom,memcpy,BCryptGenRandom,BCryptGenRandom,memcpy,memcpy,memcpy,	0_2_6CD1B03B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CDD3190 SetLastError,GetFullPathNameW,GetCurrentProcessId,BCryptGenRandom,	0_2_6CDD3190
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6CD3F130 BCryptGenRandom,BCryptGenRandom,GetProcessHeap,HeapAlloc,	0_2_6CD3F130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CA8B03B BCryptGenRandom,memcpy,BCryptGenRandom,BCryptGenRandom,memcpy,memcpy,memcpy,	3_2_6CA8B03B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CB43190 SetLastError,GetFullPathNameW,GetCurrentProcessId,BCryptGenRandom,	3_2_6CB43190
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CAAF130 BCryptGenRandom,BCryptGenRandom,GetProcessHeap,HeapAlloc,	3_2_6CAAF130

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YUoxuUri8M.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Windows Analysis Report
YUoxuUri8M.dll