Play interactive tour

Edit tour

Analysis Report v1Us5AICBm

Overview

General Information

Sample Name:	v1Us5AICBm (renamed file extension from none to dll)
Analysis ID:	329945
MD5:	e0af3054669d6232870b87e1e239a689
SHA1:	f0aa6e50471e70d07a1b70207f38538cb31ed569
SHA256:	f8503947e0e984865a29d1e3f8a62ce7034069f49c2a2dd902af68274f192224
Tags:	zloader2
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality to inject code into remote processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Queries the product ID of Windows

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 5312 cmdline: loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

msiexec.exe (PID: 6160 cmdline: msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Show sources

Source: v1Us5AICBm.dll	Virustotal: Detection: 47%			Perma Link
Source: v1Us5AICBm.dll	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: v1Us5AICBm.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.10000000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 12.2.msiexec.exe.350000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen2

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_0035F4E0 FindFirstFileW,FindNextFileW,

Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then push 0000000Ah
Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then add esi, 02h
Source: C:\Windows\System32\loaddll32.exe	Code function: 4x nop then push 00000000h
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 0000000Ah
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then mov eax, dword ptr [edi-08h]
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then push 00000000h
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 4x nop then add esi, 02h

Source: Joe Sandbox View

IP Address: 70.32.23.56 70.32.23.56

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_00351AF0 InternetReadFile,

Source: unknown

DNS traffic detected: queries for: www.businessinsurancelaw.com

Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	String found in binary or memory: http://apps.ident
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://apps.identrust.comw
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	String found in binary or memory: http://cps.ro
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://crl.co
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: msiexec.exe, 0000000C.00000003.303630468.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationA
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://crt.comodoca.o
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.cog
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/R
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.php(
Source: msiexec.exe, 0000000C.00000003.308169882.0000000000938000.00000004.00000001.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.phpT%
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://lamun.pk/wp-punch.phpc
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://squire.ae/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://squire.ae/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://squire.ae/wp-punch.php?
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/wp-punch.php)
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://thecype.com/wp-punch.phpefaults
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/;
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/J
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/f
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/j
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp, msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.php
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.php;
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.phpSNfc)
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.phpider
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.php(
Source: msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.phpVe
Source: msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.phptw
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/crosoft
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.php;
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.phpH
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/wp-punch.phpr
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	String found in binary or memory: https://www.rcclabbd.com/z#

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009C60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10003A30
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009A60
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001DA70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10015BF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00359C60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00353A30
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0036DA70
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00359A60
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00365BF0

Source: v1Us5AICBm.dll

Binary or memory string: OriginalFilenamehole.dll8 vs v1Us5AICBm.dll

Source: C:\Windows\SysWOW64\msiexec.exe

Section loaded: sfc.dll

Source: v1Us5AICBm.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yvek.dll.12.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal68.evad.winDLL@3/1@11/5

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_00369C90 AdjustTokenPrivileges,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Xyd

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{AE3C19F7-A2D0-F8C5-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{8E4429F7-92D0-D8BD-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\{3EAD2B6B-904C-6854-70B9-D0EFD3468FD7}

Source: v1Us5AICBm.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: v1Us5AICBm.dll	Virustotal: Detection: 47%
Source: v1Us5AICBm.dll	ReversingLabs: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe

Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: v1Us5AICBm.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: v1Us5AICBm.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Hundredsure\northSoil\goend\TogetherChild\hole.pdb source: loaddll32.exe, 00000000.00000002.295157206.0000000010051000.00000002.00020000.sdmp, msiexec.exe, 0000000C.00000003.300345501.00000000045B0000.00000004.00000001.sdmp, v1Us5AICBm.dll

Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: v1Us5AICBm.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D830 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002807C push eax; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002E11B pushad ; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002E9F0 push eax; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002A228 push ebx; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10026E58 push FFFFFFFBh; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002779B push ecx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002EBA8 push edi; retf
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005FB42 push ebx; ret

Source: initial sample	Static PE information: section name: .text entropy: 6.97945124569
Source: initial sample	Static PE information: section name: .text entropy: 6.97945124569

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

Jump to dropped file

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

Source: C:\Windows\SysWOW64\msiexec.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Xyd\yvek.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_0035F4E0 FindFirstFileW,FindNextFileW,

Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000D830 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012EF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005C98D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005C8C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1005C4CA push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_00362EF0 mov eax, dword ptr fs:[00000030h]

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_1000AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe

Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001A00 CreateDialogParamW,GetVersion,

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Access Token Manipulation1	Masquerading1	OS Credential Dumping	Security Software Discovery111	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Access Token Manipulation1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection112	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing3	LSA Secrets	System Information Discovery13	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
v1Us5AICBm.dll	47%	Virustotal		Browse
v1Us5AICBm.dll	28%	ReversingLabs	Win32.Trojan.Generic
v1Us5AICBm.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Xyd\yvek.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Xyd\yvek.dll	28%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.10000000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File
12.2.msiexec.exe.350000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen2		Download File

Domains

Source	Detection	Scanner	Link
squire.ae	2%	Virustotal	Browse
lamun.pk	2%	Virustotal	Browse
rcclabbd.com	0%	Virustotal	Browse
businessinsurancelaw.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://thecype.com/wp-punch.phpefaults	0%	Avira URL Cloud	safe
http://apps.ident	0%	Avira URL Cloud	safe
http://crt.comodoca.o	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.rcclabbd.com/wp-punch.phpr	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://theterteboltallbrow.tk/f	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.phpVe	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/j	0%	Avira URL Cloud	safe
http://ocsp.comodoca.cog	0%	Avira URL Cloud	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
http://ocsp.int-x3.letsencrypt.org0/	0%	URL Reputation	safe
https://www.rcclabbd.com/wp-punch.php;	0%	Avira URL Cloud	safe
https://lamun.pk/	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.phpSNfc)	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/	0%	Avira URL Cloud	safe
https://squire.ae/wp-punch.php?	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.php	0%	Avira URL Cloud	safe
https://lamun.pk/R	0%	Avira URL Cloud	safe
https://thecype.com/	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/;	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.php(	0%	Avira URL Cloud	safe
https://thecype.com/wp-punch.php)	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.php;	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.php	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/crosoft	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.php	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.phpc	0%	Avira URL Cloud	safe
https://squire.ae/	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.phpT%	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/z#	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/wp-punch.php	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/	0%	Avira URL Cloud	safe
http://crl.co	0%	Avira URL Cloud	safe
https://lamun.pk/wp-punch.php(	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/	0%	Avira URL Cloud	safe
https://squire.ae/wp-punch.php	0%	Avira URL Cloud	safe
https://www.rcclabbd.com/wp-punch.phpH	0%	Avira URL Cloud	safe
https://theterteboltallbrow.tk/wp-smarts.phpider	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.ro	0%	Avira URL Cloud	safe
https://thecype.com/wp-punch.php	0%	Avira URL Cloud	safe
https://www.businessinsurancelaw.com/wp-punch.phptw	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
squire.ae	70.32.23.56	true	false	2%, Virustotal, Browse	unknown
lamun.pk	67.23.227.19	true	false	2%, Virustotal, Browse	unknown
rcclabbd.com	192.254.225.195	true	false	0%, Virustotal, Browse	unknown
businessinsurancelaw.com	70.32.23.56	true	false	1%, Virustotal, Browse	unknown
thecype.com	192.3.183.226	true	false		unknown
www.businessinsurancelaw.com	unknown	unknown	false		unknown
theterteboltallbrow.tk	unknown	unknown	false		unknown
www.rcclabbd.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://thecype.com/wp-punch.phpefaults	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://apps.ident	msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.comodoca.o	msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.rcclabbd.com/wp-punch.phpr	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.letsencrypt.org0	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://theterteboltallbrow.tk/f	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.phpVe	msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/j	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.comodoca.cog	msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.int-x3.letsencrypt.org0/	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.rcclabbd.com/wp-punch.php;	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.phpSNfc)	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://squire.ae/wp-punch.php?	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/R	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://thecype.com/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/;	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.php(	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://thecype.com/wp-punch.php)	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.php;	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp, msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rcclabbd.com/crosoft	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.phpc	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://squire.ae/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.phpT%	msiexec.exe, 0000000C.00000003.308169882.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rcclabbd.com/z#	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cert.int-x3.letsencrypt.org/0	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false		high
https://www.rcclabbd.com/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/J	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false		unknown
https://www.rcclabbd.com/	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.co	msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://lamun.pk/wp-punch.php(	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://squire.ae/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rcclabbd.com/wp-punch.phpH	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://theterteboltallbrow.tk/wp-smarts.phpider	msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.ro	msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://thecype.com/wp-punch.php	msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://www.businessinsurancelaw.com/wp-punch.phptw	msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.254.225.195	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
192.3.183.226	unknown	United States	36352	AS-COLOCROSSINGUS	false
70.32.23.56	unknown	United States	55293	A2HOSTINGUS	false
67.23.227.19	unknown	United States	33182	DIMENOCUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	329945
Start date:	13.12.2020
Start time:	17:59:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	v1Us5AICBm (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winDLL@3/1@11/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 70.9% (good quality ratio 70.4%) Quality average: 88.9% Quality standard deviation: 20.1%
HCA Information:	Successful, ratio: 63% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 13.88.21.125, 40.88.32.150, 51.104.139.180, 23.210.248.85, 8.253.95.121, 67.27.157.254, 8.248.147.254, 67.27.157.126, 67.27.233.126, 20.54.26.129, 92.122.213.194, 92.122.213.247, 52.155.217.156 Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
192.254.225.195	wp-scan.dll	Get hash	malicious	Browse
192.3.183.226	wp-scan.dll	Get hash	malicious	Browse
	https://www.nonnie.com.ng/ruis?email=kymo@willowoodusa.com	Get hash	malicious	Browse
	https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspecfrial.online%2Fc2890d44d06bafb6c7b4aa194857ccbc%3Fid%3DbWFyay5iYXVtYW5Ab3dlbnNjb3JuaW5nLmNvbQ%3D%3D&data=02%7C01%7CPaul.Townley%40owenscorning.com%7C57e80c6031f94a765cd708d6a63fe7ef%7C09e4e683c8e44a8095d37f078d5a2649%7C0%7C0%7C636879190739673644&sdata=t4aWtIJoLI5bTvAlkH9b%2FIN7y6GseWVQVCGNqaSF2C4%3D&reserved=0	Get hash	malicious	Browse
	https://odresfua.online/ce93b7b0e618ad3ba298514c691dfad1?email=YmlyZGllLmNob3dAYWR2b2NhdGVoZWFsdGguY29t	Get hash	malicious	Browse
70.32.23.56	wp-scan.dll	Get hash	malicious	Browse
	doc.5756.xls	Get hash	malicious	Browse
	Ord5967.xls	Get hash	malicious	Browse
	invoice907.xls	Get hash	malicious	Browse
	Doc-7679.xls	Get hash	malicious	Browse
	order_1405.xls	Get hash	malicious	Browse
	https://shell-core.com/j2aqm0xkt.rar	Get hash	malicious	Browse
67.23.227.19	wp-scan.dll	Get hash	malicious	Browse
67.23.227.19	_#Ud83d#Udcde953@Westerntrust.hscni.net.htm	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
thecype.com	wp-scan.dll	Get hash	malicious	Browse	192.3.183.226
lamun.pk	wp-scan.dll	Get hash	malicious	Browse	67.23.227.19
squire.ae	wp-scan.dll	Get hash	malicious	Browse	70.32.23.56

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	aG2hS5oQsq.exe	Get hash	malicious	Browse	162.241.60.214
	3W9Z5Mn6Nh.rtf	Get hash	malicious	Browse	108.179.243.169
	DGkPaXmPUx.rtf	Get hash	malicious	Browse	192.185.129.64
	wp-scan.dll	Get hash	malicious	Browse	192.254.225.195
	SWIFT-MTC749892-10-12-20_pdf.exe	Get hash	malicious	Browse	192.185.216.110
	SN-17-2020.pdf.exe	Get hash	malicious	Browse	192.185.216.110
	Purchase Order#12202011.exe	Get hash	malicious	Browse	50.87.195.38
	https://timcoulson.com/mailer-daemon/?mail=james.dean@ahtd.ar.gov	Get hash	malicious	Browse	162.241.219.35
	https://sneakyveggies.com/wp-add	Get hash	malicious	Browse	162.241.124.195
	https://preventivahealth.com/document.html	Get hash	malicious	Browse	192.185.79.175
	https://morelifedrop.net/CD/office365.htm	Get hash	malicious	Browse	162.241.127.85
	http://amar.alwani.xalia-outlet.com/exr/amar.alwani@centrica.com	Get hash	malicious	Browse	69.49.228.190
	https://studntnu-my.sharepoint.com/:o:/g/personal/kirkebyg_ntnu_no/Eibio0jRkINJtrQ2cGW93HsBV-2OJ7plGr0_fP6Yhp0ZKw?e=zzCFN4	Get hash	malicious	Browse	162.241.27.46
	https://apcel-my.sharepoint.com/:o:/g/personal/mats_bjarnlid_apcel_se/Eo9dNcg7tRlLmRjiyE3DcEsBUUdhzATanbO-fWy_MABjEw?e=SGCxVg	Get hash	malicious	Browse	162.241.27.46
	https://statuscollectionuniform.com/wp-admin/AU/masterlifts/Global/Projects/Share/index.php	Get hash	malicious	Browse	162.214.75.114
	https://sangal.com.mx/.outlook.html	Get hash	malicious	Browse	192.185.131.183
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
	Payment Advice Notification.xlsx	Get hash	malicious	Browse	50.87.153.159
A2HOSTINGUS	pty4	Get hash	malicious	Browse	162.249.2.189
	wp-scan.dll	Get hash	malicious	Browse	70.32.23.56
	https://shimypurr.com/asf/Twadle/00698/dHdhZGxlQHZlcm1lZXIuY29t	Get hash	malicious	Browse	67.209.121.100
	pty3	Get hash	malicious	Browse	68.66.253.100
	doc.5756.xls	Get hash	malicious	Browse	70.32.23.56
	output.xls	Get hash	malicious	Browse	70.32.23.16
	output.xls	Get hash	malicious	Browse	70.32.23.16
	output.xls	Get hash	malicious	Browse	70.32.23.16
	Ord5967.xls	Get hash	malicious	Browse	70.32.23.56
	invoice907.xls	Get hash	malicious	Browse	70.32.23.56
	Doc-7679.xls	Get hash	malicious	Browse	70.32.23.56
	order_1405.xls	Get hash	malicious	Browse	70.32.23.56
	Order.862393485.doc	Get hash	malicious	Browse	66.198.240.31
	https://shell-core.com/j2aqm0xkt.rar	Get hash	malicious	Browse	70.32.23.56
	http://secure-file-transfer-ver.webflow.io	Get hash	malicious	Browse	68.66.216.57
	https://teams-securelink-flow-docs.webflow.io/	Get hash	malicious	Browse	68.66.216.57
	https://globalforwarding.com.pe/Maersk/Maersk_line-delivery.php?code=63926583659	Get hash	malicious	Browse	68.66.226.79
	Fdquqwatjjr.exe	Get hash	malicious	Browse	85.187.154.178
	Consignment Document PL&BL Draft.exe	Get hash	malicious	Browse	85.187.154.178
	Purchase Order.exe	Get hash	malicious	Browse	85.187.154.178
AS-COLOCROSSINGUS	Quotation No. 233.xlsx	Get hash	malicious	Browse	192.3.146.192
	DEC 12-10 Wires.xlsx	Get hash	malicious	Browse	192.3.22.9
	TT 18,000.00 euro.xlsx	Get hash	malicious	Browse	216.170.126.121
	NEW PO-TRUSTC20-0604.exe	Get hash	malicious	Browse	154.16.116.113
	wp-scan.dll	Get hash	malicious	Browse	192.3.183.226
	ORDER.xlsx	Get hash	malicious	Browse	216.170.126.121
	101220b64.exe	Get hash	malicious	Browse	192.3.247.106
	3166805_Invoice_Receipt.exe	Get hash	malicious	Browse	198.12.123.178
	PreviewDoc.exe	Get hash	malicious	Browse	192.3.247.106
	Print-Review.exe	Get hash	malicious	Browse	192.3.247.106
	Print-Review.exe	Get hash	malicious	Browse	192.3.247.106
	New Order list.xlsx	Get hash	malicious	Browse	75.127.1.225
	HEMANI GROUP NEW ORDER.xlsx	Get hash	malicious	Browse	216.170.114.70
	d84S4fxGCp.doc	Get hash	malicious	Browse	198.12.123.178
	RRC-095-20.xlsx	Get hash	malicious	Browse	192.3.146.194
	Material Requisition and Order.xlsx	Get hash	malicious	Browse	192.3.146.169
	Shipping_Docs 12-09.xlsx	Get hash	malicious	Browse	198.12.125.17
	NewOrder-98542009.xlsx	Get hash	malicious	Browse	198.23.213.32
	PO2932.xlsx	Get hash	malicious	Browse	192.3.146.171
	TOo0haekwZ.exe	Get hash	malicious	Browse	198.12.125.17
DIMENOCUS	wp-scan.dll	Get hash	malicious	Browse	67.23.227.19
	https://onlinegenera.sn.am/lZnJUY4u40q	Get hash	malicious	Browse	67.23.232.130
	https://onlinegenera.sn.am/lZnJUY4u40q	Get hash	malicious	Browse	67.23.232.130
	https://onlinegenera.sn.am/lZnJUY4u40q	Get hash	malicious	Browse	67.23.232.130
	Order.862393485.doc	Get hash	malicious	Browse	184.171.251.122
	Payment form-976107909.doc	Get hash	malicious	Browse	184.171.251.122
	DOC051220-007_pdf.exe	Get hash	malicious	Browse	199.168.190.42
	_Remittance_.exe	Get hash	malicious	Browse	67.23.254.42
	i_Remittance.exe	Get hash	malicious	Browse	67.23.254.42
	vale-remittance.exe	Get hash	malicious	Browse	67.23.254.42
	_#Ud83d#Udcde953@Westerntrust.hscni.net.htm	Get hash	malicious	Browse	67.23.227.19
	https://h2oholdings.lk/smskod/one/westpac/login	Get hash	malicious	Browse	107.161.181.250
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	67.23.238.50
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	67.23.238.50
	http://250374-5014.futureriseeducation.com/qhlpbczkwxve/dG9tLndpbGN6YWtAc2VhcnNoYy5jb20=	Get hash	malicious	Browse	67.23.242.106
	USD67,884.08_Payment_Advise_9083008849.exe	Get hash	malicious	Browse	198.136.51.123
	http://www.947947.mirramodaintima.com.br/#aHR0cHM6Ly9lbXl0dXJrLmNvbS9zZC9JSy9vZjEvRmlkZWwuVG9ycmVzQHNlYXJzaGMuY29t	Get hash	malicious	Browse	177.234.159.42
	invoice.exe	Get hash	malicious	Browse	109.73.164.114
	ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).js	Get hash	malicious	Browse	67.23.238.50
	ddos________ (IW0Irt2zSey6D6LMEgcs2kqQiSuMa 8 G).js	Get hash	malicious	Browse	67.23.238.50

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Ca4fOzoNzJ.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	FAEROE#U007e0.EXE	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	VITHAF#U007e0.EXE	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	U0N4EBAJKJ.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	DAK0SFLsXV.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	TrustedInstaller.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	wp-scan.dll	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	SWIFT-MTC749892-10-12-20_pdf.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	aPe6wtn4Y8.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	Pw5WhqWFzK.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	soft.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	SN-17-2020.pdf.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	MSI4614.dll	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	zethpill.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	Z7G2lyR0tT.exe	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	imgengine.dll	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	http://email.dream11.com/ls/click?upn=gIaedBDL7lfVNdbAB8knTqzWOtzKjiGAdIjxItTBzfisZ9eaHsszPGYIVZ5c9tVbThEq-2F7r5H1ddfXxGAiqSEA-3D-3Dy1dA_TJcqyuN2iNYyC7hiQE8uPnpIrwAwiFHKa7P9O3CiGRV5Zdc60yh-2FWLCKsCnUSROY-2BBKuKVdEC0LWtK4-2FOrxpuEIEn6IxtcLH08KwUXmYODW9pymsy9zpjJC1l0k2-2B2ZGDA7llrlg-2BDC-2Fg3YTrgVq0OyM4w1U-2FU2mGIUK7D9YLK8POQedJhTmuBqzj8PIDSm2-2Bu5mOV-2B6GOLE63z6lg4PTw-3D-3D	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	https://intouch.mtn.com	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	https://nelleinletapt.buzz/CD/office365.htm	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fin0038847990.sn.am%2flfCk7ZE6GWq&c=E,1,XbwqZlmKwFAf_trFhDdV9wkuU6vutPEIQqN4IhE8jUbxLD3wnPPXDvKp8Jibjk9HngPAI5iRQWnG4vU_DQMKfMGkzgCqkZ-4BfRprMNSl9Nr7VoPQEtWNft5&typo=1	Get hash	malicious	Browse	192.254.225.195 192.3.183.226 70.32.23.56 67.23.227.19

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Xyd\yvek.dll Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	389120
Entropy (8bit):	6.772300701631193
Encrypted:	false
SSDEEP:	6144:j2yIqOCYbeyUaNpV55IQB5ykPgScnOfIvI+ZcZfqAf7Vv7U0+jG8CuJ:jPYb3UaNpV52QB5ykXcqacZfqARv7Bmj
MD5:	E0AF3054669D6232870B87E1E239A689
SHA1:	F0AA6E50471E70D07A1B70207F38538CB31ED569
SHA-256:	F8503947E0E984865A29D1E3F8A62CE7034069F49C2A2DD902AF68274F192224
SHA-512:	1574E2ACA2415A90677053DA5F625D4A9E3BB2E85362CC7ACC7B6430A35EB889883DA1FDA694D79EE38349FEE01B5843D0717D864E2D801302755188308D513F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=B..S...S...S.[(-...S..>...S......S..(...S..=...S.......S...R.+.S..!...S..)...S../...S..+...S.Rich..S.........................PE..L....6}E...........!.........P.......&.......................................`..............................................h...x....0.......................@...... ................................{..@............................................text...(........................... ..`.rdata..............................@..@.data............ ..................@....rsrc........0......................@..@.reloc.......@... ..................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.772300701631193
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	v1Us5AICBm.dll
File size:	389120
MD5:	e0af3054669d6232870b87e1e239a689
SHA1:	f0aa6e50471e70d07a1b70207f38538cb31ed569
SHA256:	f8503947e0e984865a29d1e3f8a62ce7034069f49c2a2dd902af68274f192224
SHA512:	1574e2aca2415a90677053da5f625d4a9e3bb2e85362cc7acc7b6430a35eb889883da1fda694d79ee38349fee01b5843d0717d864e2d801302755188308d513f
SSDEEP:	6144:j2yIqOCYbeyUaNpV55IQB5ykPgScnOfIvI+ZcZfqAf7Vv7U0+jG8CuJ:jPYb3UaNpV52QB5ykXcqacZfqARv7Bmj
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=B..S...S...S.[(-...S..>...S......S..(...S..=...S.......S...R.+.S..!...S..)...S../...S..+...S.Rich..S................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x100026e5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x457D36C4 [Mon Dec 11 10:45:24 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ac30ec1b90a9fedffe3cfc3e897b5a40

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F0A38FE5CE7h
call 00007F0A38FEAD5Ah
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F0A38FE5BD2h
pop ecx
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F0A38FE5D06h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F0A38FE5D30h
test ecx, 00000003h
jne 00007F0A38FE5CD1h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F0A38FE5CCAh
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F0A38FE5D14h
test ah, ah
je 00007F0A38FE5D06h
test eax, 00FF0000h
je 00007F0A38FE5CF5h
test eax, FF000000h
je 00007F0A38FE5CE4h
jmp 00007F0A38FE5CAFh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 000512D0h

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58568	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x63000	0xf80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0x11b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x51220	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x57bf8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4fb28	0x50000	False	0.811544799805	data	6.97945124569	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x800c	0x9000	False	0.459689670139	data	5.7180496081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5a000	0x87f8	0x2000	False	0.2216796875	data	2.42882006124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x63000	0xf80	0x1000	False	0.371826171875	data	3.49422984211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0x1f06	0x2000	False	0.472290039062	data	4.57666635881	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x63588	0xcc	data	English	United States
RT_DIALOG	0x63658	0xc0	data	English	United States
RT_DIALOG	0x63718	0xbc	data	English	United States
RT_DIALOG	0x637d8	0x148	data	English	United States
RT_DIALOG	0x63920	0xd0	data	English	United States
RT_DIALOG	0x639f0	0x140	data	English	United States
RT_DIALOG	0x63b30	0xc8	data	English	United States
RT_DIALOG	0x63bf8	0x142	data	English	United States
RT_DIALOG	0x63d40	0xbc	data	English	United States
RT_VERSION	0x63270	0x318	data	English	United States
RT_MANIFEST	0x63e00	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	LCMapStringW, VirtualProtect, GetStringTypeA, HeapReAlloc, GetStringTypeW, GetCurrentThreadId, GetLocaleInfoA, HeapSize, LoadLibraryA, InitializeCriticalSection, CompareStringA, CompareStringW, GetVersion, WriteFile, FindFirstChangeNotificationA, GetDiskFreeSpaceA, RemoveDirectoryA, CreateProcessA, CreateEventA, LCMapStringA, Sleep, GetSystemTimeAsFileTime, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetLastError, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, MultiByteToWideChar, GetTimeFormatA, GetDateFormatA, WideCharToMultiByte, GetTimeZoneInformation, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, SetEnvironmentVariableA
USER32.dll	GetMessageA, CloseClipboard, GetClassNameA, MapDialogRect, LoadIconA, SetParent, ExitWindowsEx, GetDC, InflateRect, OffsetRect, GetWindowTextA, GetAsyncKeyState, IntersectRect, EndDialog, EnumChildWindows, UpdateWindow, FindWindowA, EndDeferWindowPos, GetMessagePos
GDI32.dll	SetTextColor, SetBkColor, SetAbortProc, CreateBitmap, SetRectRgn, CombineRgn, StretchDIBits, GetClipBox, GetTextMetricsA, AbortDoc, EndDoc
COMDLG32.dll	CommDlgExtendedError, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA, ChooseFontA, ReplaceTextA
COMCTL32.dll	ImageList_Remove, InitCommonControlsEx, ImageList_SetBkColor, ImageList_SetIconSize, ImageList_Destroy, ImageList_SetDragCursorImage

Version Infos

Description	Data
LegalCopyright	Figskin Corporation. All rights reserved
InternalName	Pound Bit
FileVersion	8.3.0.634
CompanyName	Figskin Corporation
ProductName	Figskin Scienceland
ProductVersion	8.3.0.634
FileDescription	Figskin Scienceland
OriginalFilename	hole.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2020 18:00:44.319030046 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.445207119 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.445550919 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.496025085 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623572111 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623622894 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623661041 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623702049 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623739958 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.623748064 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623790026 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623796940 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.623801947 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.740991116 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.867456913 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:44.867938042 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:44.900187969 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.065598965 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.370954037 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.370989084 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.371026039 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.371112108 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.371161938 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.371515036 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.371678114 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.498420954 CET	443	49735	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.498591900 CET	49735	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.621951103 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.748013020 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.748150110 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.748992920 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.874871969 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876118898 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876140118 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876154900 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876168966 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:45.876434088 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:45.903753996 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.030296087 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.030777931 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.032215118 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.197670937 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478622913 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478667974 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478696108 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.478775024 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478825092 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478832006 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478863001 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.478935957 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.591269016 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.604706049 CET	443	49736	70.32.23.56	192.168.2.3
Dec 13, 2020 18:00:46.604835033 CET	49736	443	192.168.2.3	70.32.23.56
Dec 13, 2020 18:00:46.718322039 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.718473911 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.726059914 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.853110075 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854614973 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854670048 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854700089 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.854820967 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.854866028 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.869280100 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.996562004 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:46.996750116 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:46.997703075 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.164597034 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503226995 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503273010 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503510952 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.503592014 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.503647089 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.503796101 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.503871918 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.630857944 CET	443	49737	67.23.227.19	192.168.2.3
Dec 13, 2020 18:00:47.631016016 CET	49737	443	192.168.2.3	67.23.227.19
Dec 13, 2020 18:00:47.727953911 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:47.886188030 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:47.887159109 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:47.889065981 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.047314882 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050368071 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050420046 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050462008 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.050683022 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.077200890 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.236044884 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.236316919 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.237912893 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406014919 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.406060934 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.406089067 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.406157017 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406202078 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406461000 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.406522989 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.424137115 CET	49739	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.564574957 CET	443	49738	192.254.225.195	192.168.2.3
Dec 13, 2020 18:00:48.564666986 CET	49738	443	192.168.2.3	192.254.225.195
Dec 13, 2020 18:00:48.582658052 CET	443	49739	192.254.225.195	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2020 17:59:52.110733032 CET	53195	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:52.134998083 CET	53	53195	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:53.136502028 CET	50141	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:53.161084890 CET	53	50141	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:53.969039917 CET	53023	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:53.996448040 CET	53	53023	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:54.775568962 CET	49563	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:54.799938917 CET	53	49563	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:55.968637943 CET	51352	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:55.995690107 CET	53	51352	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:57.135420084 CET	59349	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:57.159847021 CET	53	59349	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:57.871728897 CET	57084	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:57.899000883 CET	53	57084	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:58.493649006 CET	58823	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:58.518022060 CET	53	58823	8.8.8.8	192.168.2.3
Dec 13, 2020 17:59:59.518012047 CET	57568	53	192.168.2.3	8.8.8.8
Dec 13, 2020 17:59:59.545289993 CET	53	57568	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:00.191864014 CET	50540	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:00.216548920 CET	53	50540	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:01.227436066 CET	54366	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:01.254662991 CET	53	54366	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:02.154442072 CET	53034	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:02.181777000 CET	53	53034	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:22.572859049 CET	57762	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:22.597362995 CET	53	57762	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:26.736121893 CET	55435	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:26.781519890 CET	53	55435	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:42.112818003 CET	50713	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:42.137171984 CET	53	50713	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:42.501646996 CET	56132	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:42.545161009 CET	53	56132	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:44.156333923 CET	58987	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:44.293592930 CET	53	58987	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:45.447274923 CET	56579	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:45.616791964 CET	53	56579	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:46.527847052 CET	60633	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:46.587399006 CET	53	60633	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:47.556493998 CET	61292	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:47.724914074 CET	53	61292	8.8.8.8	192.168.2.3
Dec 13, 2020 18:00:58.139362097 CET	63619	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:00:58.166681051 CET	53	63619	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:01.057795048 CET	64938	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:01.100646019 CET	53	64938	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:01.960922956 CET	61946	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:02.051309109 CET	53	61946	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:02.058600903 CET	64910	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:02.094324112 CET	53	64910	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:02.180860043 CET	52123	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:02.218029976 CET	53	52123	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:07.111082077 CET	56130	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:07.152836084 CET	53	56130	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:07.160408020 CET	56338	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:07.193361044 CET	53	56338	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:12.204451084 CET	59420	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:12.287242889 CET	53	59420	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:12.304409027 CET	58784	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:12.339963913 CET	53	58784	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:32.026865005 CET	63978	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:32.051188946 CET	53	63978	8.8.8.8	192.168.2.3
Dec 13, 2020 18:01:33.656912088 CET	62938	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:01:33.697693110 CET	53	62938	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:43.275849104 CET	55708	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:43.308525085 CET	53	55708	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:43.803208113 CET	56803	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:43.836067915 CET	53	56803	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:44.467400074 CET	57145	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:44.500171900 CET	53	57145	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:44.832010031 CET	55359	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:44.856794119 CET	53	55359	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:45.364487886 CET	58306	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:45.399610996 CET	53	58306	8.8.8.8	192.168.2.3
Dec 13, 2020 18:02:45.700702906 CET	64124	53	192.168.2.3	8.8.8.8
Dec 13, 2020 18:02:45.728238106 CET	53	64124	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 13, 2020 18:00:44.156333923 CET	192.168.2.3	8.8.8.8	0xca7c	Standard query (0)	www.businessinsurancelaw.com	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:45.447274923 CET	192.168.2.3	8.8.8.8	0xd7d3	Standard query (0)	squire.ae	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:46.527847052 CET	192.168.2.3	8.8.8.8	0xa2f1	Standard query (0)	lamun.pk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:47.556493998 CET	192.168.2.3	8.8.8.8	0xde36	Standard query (0)	www.rcclabbd.com	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:01.057795048 CET	192.168.2.3	8.8.8.8	0x94b9	Standard query (0)	thecype.com	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:01.960922956 CET	192.168.2.3	8.8.8.8	0xb3a0	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:02.058600903 CET	192.168.2.3	8.8.8.8	0x7241	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.111082077 CET	192.168.2.3	8.8.8.8	0xe276	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.160408020 CET	192.168.2.3	8.8.8.8	0xb92f	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.204451084 CET	192.168.2.3	8.8.8.8	0xeb0	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.304409027 CET	192.168.2.3	8.8.8.8	0x79f4	Standard query (0)	theterteboltallbrow.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 13, 2020 18:00:44.293592930 CET	8.8.8.8	192.168.2.3	0xca7c	No error (0)	www.businessinsurancelaw.com	businessinsurancelaw.com		CNAME (Canonical name)	IN (0x0001)
Dec 13, 2020 18:00:44.293592930 CET	8.8.8.8	192.168.2.3	0xca7c	No error (0)	businessinsurancelaw.com		70.32.23.56	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:45.616791964 CET	8.8.8.8	192.168.2.3	0xd7d3	No error (0)	squire.ae		70.32.23.56	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:46.587399006 CET	8.8.8.8	192.168.2.3	0xa2f1	No error (0)	lamun.pk		67.23.227.19	A (IP address)	IN (0x0001)
Dec 13, 2020 18:00:47.724914074 CET	8.8.8.8	192.168.2.3	0xde36	No error (0)	www.rcclabbd.com	rcclabbd.com		CNAME (Canonical name)	IN (0x0001)
Dec 13, 2020 18:00:47.724914074 CET	8.8.8.8	192.168.2.3	0xde36	No error (0)	rcclabbd.com		192.254.225.195	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:01.100646019 CET	8.8.8.8	192.168.2.3	0x94b9	No error (0)	thecype.com		192.3.183.226	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:02.051309109 CET	8.8.8.8	192.168.2.3	0xb3a0	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:02.094324112 CET	8.8.8.8	192.168.2.3	0x7241	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.152836084 CET	8.8.8.8	192.168.2.3	0xe276	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:07.193361044 CET	8.8.8.8	192.168.2.3	0xb92f	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.287242889 CET	8.8.8.8	192.168.2.3	0xeb0	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)
Dec 13, 2020 18:01:12.339963913 CET	8.8.8.8	192.168.2.3	0x79f4	Name error (3)	theterteboltallbrow.tk	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Dec 13, 2020 18:00:44.623739958 CET	70.32.23.56	443	192.168.2.3	49735	CN=businessinsurancelaw.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Sep 29 02:00:00 CEST 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Tue Dec 29 00:59:59 CET 2020 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Dec 13, 2020 18:00:45.876168966 CET	70.32.23.56	443	192.168.2.3	49736	CN=squire.ae CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Oct 29 01:00:00 CET 2020 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Thu Jan 28 00:59:59 CET 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Dec 13, 2020 18:00:46.854670048 CET	67.23.227.19	443	192.168.2.3	49737	CN=*.lamun.pk CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Oct 27 22:33:43 CET 2020 Thu Mar 17 17:40:46 CET 2016	Mon Jan 25 22:33:43 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:00:46.854670048 CET	67.23.227.19	443	192.168.2.3	49737	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:00:48.050462008 CET	192.254.225.195	443	192.168.2.3	49738	CN=cpanel.rcclabbd.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Nov 13 11:07:04 CET 2020 Thu Mar 17 17:40:46 CET 2016	Thu Feb 11 11:07:04 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:00:48.050462008 CET	192.254.225.195	443	192.168.2.3	49738	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:01:01.329282999 CET	192.3.183.226	443	192.168.2.3	49747	CN=webmail.thecype.com CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Oct 17 20:11:48 CEST 2020 Thu Mar 17 17:40:46 CET 2016	Fri Jan 15 19:11:48 CET 2021 Wed Mar 17 17:40:46 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Dec 13, 2020 18:01:01.329282999 CET	192.3.183.226	443	192.168.2.3	49747	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Mar 17 17:40:46 CET 2016	Wed Mar 17 17:40:46 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5312 Parent PID: 5628

General

Start time:	17:59:56
Start date:	13/12/2020
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll'
Imagebase:	0x13d0000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: msiexec.exe PID: 6160 Parent PID: 5312

General

Start time:	18:00:40
Start date:	13/12/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	msiexec.exe
Imagebase:	0x1140000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report v1Us5AICBm

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5312 Parent PID: 5628