Windows Analysis Report
PSqBbz.dll

Overview

General Information

Sample name:	PSqBbz.dll
Analysis ID:	1502270
MD5:	322e3eb0984014882ee5ca1398f74805
SHA1:	550f9ba5bd052dc7890f48f64ab3313eb171fbad
SHA256:	49676c6ae76771a48914b205927818f931d301cdf87104c874b234f349d6ce91
Tags:	dll
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PSqBbz.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPip	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/c	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoP	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAY	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/flateo	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTO	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/cB	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKd	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt-	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/4	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/T4	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbB	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com//	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: env-3936544.jcloud.kz	Virustotal: Detection: 5%	Perma Link
Source: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txty.IE5	Virustotal: Detection: 7%	Perma Link
Source: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for submitted file

Source: PSqBbz.dll	ReversingLabs: Detection: 42%
Source: PSqBbz.dll	Virustotal: Detection: 51%			Perma Link

Uses 32bit PE files

Source: PSqBbz.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: PSqBbz.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 108.156.60.94 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.16 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.67.87.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.15 80	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.156.60.94 108.156.60.94
Source: Joe Sandbox View	IP Address: 185.22.66.16 185.22.66.16
Source: Joe Sandbox View	IP Address: 194.67.87.38 194.67.87.38

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: PSKZ PSKZ
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: PSKZ PSKZ

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbBAvKJJxjQxpV HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbBAvKJJxjQxpV HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.rapidfilestorage.com
Source: global traffic	DNS traffic detected: DNS query: helsinki-dtc.com
Source: global traffic	DNS traffic detected: DNS query: skrptfiles.tracemonitors.com

Source: rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/8
Source: rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/efee8a9d-c845-40f1-ac21-573d1d5ce43f
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt
Source: rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245819487.0000000005123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM7
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMT
Source: rundll32.exe, 00000007.00000003.2246181279.00000000033E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMa
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMt
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMz
Source: rundll32.exe, 00000005.00000003.2220256911.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2219895638.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.000000000312D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu
Source: rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.0000000003109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwuL
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203652616.0000000002E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb#
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb%
Source: rundll32.exe, 00000004.00000003.2194775462.0000000004E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb(
Source: rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb4
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203652616.0000000002E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb5
Source: rundll32.exe, 00000004.00000003.2195024449.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFbN
Source: rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txty.IE5
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003122000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/x
Source: rundll32.exe, 00000004.00000003.2203652616.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/
Source: rundll32.exe, 00000004.00000003.2203652616.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com//
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/cB
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/flateo
Source: rundll32.exe, 00000005.00000003.2228442810.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt
Source: rundll32.exe, 00000004.00000003.2203358013.0000000002E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt-
Source: rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbB
Source: rundll32.exe, 00000004.00000003.2203768862.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPip
Source: rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoP
Source: rundll32.exe, 00000004.00000002.2204542745.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2228922102.000000000308A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/
Source: rundll32.exe, 00000004.00000002.2204542745.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/4
Source: rundll32.exe, 00000004.00000002.2204542745.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/T4
Source: rundll32.exe, 00000005.00000002.2228922102.000000000308A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/c
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTO
Source: rundll32.exe, 00000007.00000003.2238565013.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238653914.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254158292.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254748663.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255151257.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238653914.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238457258.0000000004CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKd
Source: rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAY
Source: rundll32.exe, 00000004.00000003.2186699648.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2186201668.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212626014.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212750807.000000000310E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238653914.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Uses 32bit PE files

Source: PSqBbz.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal80.evad.winDLL@10/9@4/4

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\version[1].txt

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_ACplhEYFqoItrr
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03

Source: PSqBbz.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSqBbz.dll,#1

Source: PSqBbz.dll	ReversingLabs: Detection: 42%
Source: PSqBbz.dll	Virustotal: Detection: 51%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PSqBbz.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSqBbz.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSqBbz.dll,#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: PSqBbz.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000007.00000002.2255090442.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH.:
Source: rundll32.exe, 00000004.00000003.2203507150.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2195024449.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2186699648.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203652616.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2195024449.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000003.2228330297.00000000030D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212626014.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ%
Source: rundll32.exe, 00000007.00000002.2255090442.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 108.156.60.94 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.16 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.67.87.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.15 80	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.156.60.94	d1u0l9f6kr1di3.cloudfront.net	United States	16509	AMAZON-02US	true
185.22.66.16	env-3936544.jcloud.kz	Kazakhstan	48716	PSKZ	true
194.67.87.38	helsinki-dtc.com	Russian Federation	197695	AS-REGRU	true
185.22.66.15	unknown	Kazakhstan	48716	PSKZ	true

Contacted Domains

Name	IP	Active
env-3936544.jcloud.kz	185.22.66.16	true
d1u0l9f6kr1di3.cloudfront.net	108.156.60.94	true
helsinki-dtc.com	194.67.87.38	true
skrptfiles.tracemonitors.com	unknown	unknown
www.rapidfilestorage.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz	true	Avira URL Cloud: malware	unknown
http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM	true	Avira URL Cloud: safe	unknown
http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb	true	Avira URL Cloud: safe	unknown
http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB	true	Avira URL Cloud: malware	unknown
http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc	true	Avira URL Cloud: malware	unknown
http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu	true	Avira URL Cloud: safe	unknown
http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu	true	Avira URL Cloud: malware	unknown
http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky	true	Avira URL Cloud: malware	unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\version[1].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\version[2].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\version[1].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\version[2].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\version[3].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\version[1].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\version[2].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\version[1].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\version[2].txt	ASCII text, with no line terminators	17C89252835FDAB937F9923CDF66E3BF	F1A6162259C65804124D782B3D396F3AB4103D0A	7AC1B246E768D362B961292D3CE4D82A510CB19C04C7D36A338EB29D7A367711

AV Detection

Antivirus / Scanner detection for submitted sample

Source: PSqBbz.dll

Avira: detected

Antivirus detection for URL or domain

Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPip	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/c	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoP	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAY	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/flateo	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTO	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/cB	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKd	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt-	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/4	Avira URL Cloud: Label: malware
Source: http://www.rapidfilestorage.com/T4	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbB	Avira URL Cloud: Label: malware
Source: http://skrptfiles.tracemonitors.com//	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: env-3936544.jcloud.kz	Virustotal: Detection: 5%	Perma Link
Source: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txty.IE5	Virustotal: Detection: 7%	Perma Link
Source: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for submitted file

Source: PSqBbz.dll	ReversingLabs: Detection: 42%
Source: PSqBbz.dll	Virustotal: Detection: 51%			Perma Link

Uses 32bit PE files

Source: PSqBbz.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: PSqBbz.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 108.156.60.94 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.16 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.67.87.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.15 80	Jump to behavior

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.156.60.94 108.156.60.94
Source: Joe Sandbox View	IP Address: 185.22.66.16 185.22.66.16
Source: Joe Sandbox View	IP Address: 194.67.87.38 194.67.87.38

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: PSKZ PSKZ
Source: Joe Sandbox View	ASN Name: AS-REGRU AS-REGRU
Source: Joe Sandbox View	ASN Name: PSKZ PSKZ

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbBAvKJJxjQxpV HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTONuHtHNz HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPipauUfjiGVmnu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAYahKgGMc HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbBAvKJJxjQxpV HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKdaKllZcB HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.rapidfilestorage.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: helsinki-dtc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoPlTXEFRmQkky HTTP/1.1Accept: /Cache-Control: no-cacheAccept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: skrptfiles.tracemonitors.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.rapidfilestorage.com
Source: global traffic	DNS traffic detected: DNS query: helsinki-dtc.com
Source: global traffic	DNS traffic detected: DNS query: skrptfiles.tracemonitors.com

Source: rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/8
Source: rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/efee8a9d-c845-40f1-ac21-573d1d5ce43f
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt
Source: rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245819487.0000000005123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtM7
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMT
Source: rundll32.exe, 00000007.00000003.2246181279.00000000033E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMa
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMt
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2245931924.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?IKZGDKvYnvDMvoqTeVDzNztzWcdsCQqtMz
Source: rundll32.exe, 00000005.00000003.2220256911.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2219895638.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.000000000312D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwu
Source: rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.0000000003109000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?SlTcUfEytvXVUBrjkwquyzjEBZVOZZQwuL
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203652616.0000000002E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb#
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb%
Source: rundll32.exe, 00000004.00000003.2194775462.0000000004E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb(
Source: rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb4
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E39000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203652616.0000000002E39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFb5
Source: rundll32.exe, 00000004.00000003.2195024449.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?lOUeyYkXtIeVhIGvnzBNcKeTcjKtSYTFbN
Source: rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/updates/ya/wrtzr_ytab_b_1/win/version.txty.IE5
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003122000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://helsinki-dtc.com/x
Source: rundll32.exe, 00000004.00000003.2203652616.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/
Source: rundll32.exe, 00000004.00000003.2203652616.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com//
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/cB
Source: rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/flateo
Source: rundll32.exe, 00000005.00000003.2228442810.0000000003122000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt
Source: rundll32.exe, 00000004.00000003.2203358013.0000000002E45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt-
Source: rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?QstVkCRArOWIiNHaHSNSbB
Source: rundll32.exe, 00000004.00000003.2203768862.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?dzSWVrxeStrQsUBNHRVPip
Source: rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://skrptfiles.tracemonitors.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?ezfLlmYmbIYiCEOghMYOoP
Source: rundll32.exe, 00000004.00000002.2204542745.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2228922102.000000000308A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/
Source: rundll32.exe, 00000004.00000002.2204542745.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/4
Source: rundll32.exe, 00000004.00000002.2204542745.0000000002D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/T4
Source: rundll32.exe, 00000005.00000002.2228922102.000000000308A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/c
Source: rundll32.exe, 00000004.00000003.2194878701.0000000002DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?AiNuMUXtWgCZYHVfKWdbOyZdTO
Source: rundll32.exe, 00000007.00000003.2238565013.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238653914.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254158292.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254748663.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255151257.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238653914.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238457258.0000000004CE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?qpVcogWUZudKwkAahLFKQbqMKd
Source: rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rapidfilestorage.com/updates/ya/wrtzr_ytab_b_1/win/version.txt?uievPixGmzVbKOzhfhviODoaAY
Source: rundll32.exe, 00000004.00000003.2186699648.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2194878701.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2186201668.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228330297.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229067943.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228442810.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2228610375.0000000003110000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212626014.0000000003109000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212750807.000000000310E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220360028.000000000310F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.00000000033C7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246181279.00000000033CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238653914.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2255090442.00000000033C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Uses 32bit PE files

Source: PSqBbz.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal80.evad.winDLL@10/9@4/4

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\version[1].txt

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\1_ACplhEYFqoItrr
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3580:120:WilError_03

Source: PSqBbz.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSqBbz.dll,#1

Source: PSqBbz.dll	ReversingLabs: Detection: 42%
Source: PSqBbz.dll	Virustotal: Detection: 51%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\PSqBbz.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSqBbz.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\PSqBbz.dll,#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: PSqBbz.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PSqBbz.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000007.00000002.2255090442.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH.:
Source: rundll32.exe, 00000004.00000003.2203507150.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2195024449.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2186699648.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203652616.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2195024449.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203768862.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203507150.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2204766772.0000000002E06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2203358013.0000000002DE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000003.2228330297.00000000030D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2220256911.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2212626014.00000000030D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2229025019.00000000030D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ%
Source: rundll32.exe, 00000007.00000002.2255090442.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2238565013.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2246078521.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254436103.0000000003397000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2254638857.0000000003397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-4

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 108.156.60.94 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.16 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 194.67.87.38 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 185.22.66.15 80	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PSqBbz.dll",#1

Jump to behavior

ID:	1502270
Product:	CloudBasic
Start time:	22:11:05
Start date:	31.08.2024
Sample:	PSqBbz.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	322e3eb0984014882ee5ca1398f74805
SHA1:	550f9ba5bd052dc7890f48f64ab3313eb171fbad
SHA256:	49676c6ae76771a48914b205927818f931d301cdf87104c874b234f349d6ce91
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
PSqBbz.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PSqBbz.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PSqBbz.dll