Loading ...

Play interactive tourEdit tour

Analysis Report iJdlvBxhYu.dll

Overview

General Information

Sample Name:iJdlvBxhYu.dll
Analysis ID:404149
MD5:18d613d02eaf8d339feebb21f578f329
SHA1:01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
SHA256:bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6684 cmdline: loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6692 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6732 cmdline: rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6780 cmdline: rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4876 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 3.2.rundll32.exe.4e994a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Source: iJdlvBxhYu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: iJdlvBxhYu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: global trafficHTTP traffic detected: GET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: ~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.drString found in binary or memory: https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1023A5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10101B NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10145E GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1023A5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01001724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100B301 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E102184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14AF51
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E146700
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E169DAE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E163A47
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E167AB1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E154B3B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E16035D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1628C3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14C100
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E102184
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01003977
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01008045
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010062D8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100B0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14AF51
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E146700
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E169DAE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E163A47
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E167AB1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E154B3B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E16035D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1628C3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14C100
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E14B2D0 appears 32 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E14B2D0 appears 32 times
            Source: iJdlvBxhYu.dllBinary or memory string: OriginalFilenameturn.dll8 vs iJdlvBxhYu.dll
            Source: iJdlvBxhYu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: iJdlvBxhYu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal60.troj.winDLL@12/5@3/4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010024C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF222070F69DD5E09D.TMPJump to behavior
            Source: iJdlvBxhYu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: iJdlvBxhYu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10160D LoadLibraryA,GetProcAddress,
            Source: iJdlvBxhYu.dllStatic PE information: real checksum: 0x8203c should be: 0x7fedb
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E102120 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E102173 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E11420E push es; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E11423B push ebx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14B315 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1143C5 push ebp; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E18221D push eax; retf
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E182BB6 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E102120 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E102173 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100AD10 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100B0CB push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E11420E push es; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E11423B push ebx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14B315 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1143C5 push ebp; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E115842 push esp; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E18221D push eax; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E182BB6 push ecx; ret

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14C6CB _memset,IsDebuggerPresent,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E152CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10160D LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E181302 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E181238 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E180E3F push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E181302 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E181238 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E180E3F push dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14B830 GetProcessHeap,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E151090 SetUnhandledExceptionFilter,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E151090 SetUnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14B84D cpuid
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E101D6E SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01007EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E101800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404149 Sample: iJdlvBxhYu.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 60 24 outlook.office365.com 2->24 26 outlook.ms-acdc.office.com 2->26 28 2 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Yara detected  Ursnif 2->38 8 loaddll32.exe 1 2->8         started        10 iexplore.exe 1 50 2->10         started        signatures3 process4 process5 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 iexplore.exe 24 10->19         started        dnsIp6 40 Writes registry values via WMI 12->40 22 rundll32.exe 15->22         started        30 outlook.com 40.97.128.194, 443, 49725, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 32 HHN-efz.ms-acdc.office.com 52.97.150.2, 443, 49728, 49729 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->32 34 6 other IPs or domains 19->34 signatures7 process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            iJdlvBxhYu.dll6%VirustotalBrowse
            iJdlvBxhYu.dll0%ReversingLabs

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.2.rundll32.exe.1000000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            outlook.com
            40.97.128.194
            truefalse
              high
              HHN-efz.ms-acdc.office.com
              52.97.150.2
              truefalse
                high
                FRA-efz.ms-acdc.office.com
                52.97.201.82
                truefalse
                  high
                  www.outlook.com
                  unknown
                  unknownfalse
                    high
                    outlook.office365.com
                    unknown
                    unknownfalse
                      high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://outlook.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfkfalse
                        high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.drfalse
                          high

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          52.97.150.2
                          HHN-efz.ms-acdc.office.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          40.97.128.194
                          outlook.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          52.97.201.82
                          FRA-efz.ms-acdc.office.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                          Private

                          IP
                          192.168.2.1

                          General Information

                          Joe Sandbox Version:32.0.0 Black Diamond
                          Analysis ID:404149
                          Start date:04.05.2021
                          Start time:18:51:40
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 7m 48s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:iJdlvBxhYu.dll
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal60.troj.winDLL@12/5@3/4
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 9.2% (good quality ratio 8.7%)
                          • Quality average: 79.3%
                          • Quality standard deviation: 28.8%
                          HCA Information:
                          • Successful, ratio: 85%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .dll
                          Warnings:
                          Show All
                          • Excluded IPs from analysis (whitelisted): 13.64.90.137, 92.122.145.220, 52.147.198.201, 104.43.193.48, 8.238.27.126, 8.238.28.254, 8.241.79.126, 8.238.29.254, 8.241.88.254, 2.20.142.209, 2.20.142.210, 20.190.160.132, 20.190.160.6, 20.190.160.67, 20.190.160.71, 20.190.160.136, 20.190.160.4, 20.190.160.8, 20.190.160.73, 20.82.210.154, 92.122.213.247, 92.122.213.194, 184.30.24.56, 88.221.62.148, 152.199.19.161, 40.64.100.89, 52.155.217.156
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, cs9.wpc.v0cdn.net
                          • Report size getting too big, too many NtOpenKeyEx calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          18:53:49API Interceptor1x Sleep call for process: rundll32.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          52.97.150.2SCAN08364720 #45836(PDF).pdf.htmGet hashmaliciousBrowse
                            40.97.128.194http://outlook.com/owa/airmasteraustralia.onmicrosoft.comGet hashmaliciousBrowse
                            • outlook.com/owa/airmasteraustralia.onmicrosoft.com
                            52.97.201.82DHL Notification -AWB DHL-2021011293002.exeGet hashmaliciousBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              HHN-efz.ms-acdc.office.com8OKQ6ogGRx.dllGet hashmaliciousBrowse
                              • 40.101.138.2
                              609110f2d14a6.dllGet hashmaliciousBrowse
                              • 40.101.137.34
                              New%20order%20contract.htmlGet hashmaliciousBrowse
                              • 52.98.175.2
                              outlook.comn6osajjc938.exeGet hashmaliciousBrowse
                              • 104.47.54.36
                              9b3d7f02.exeGet hashmaliciousBrowse
                              • 104.47.54.36
                              5zc9vbGBo3.exeGet hashmaliciousBrowse
                              • 52.101.24.0
                              InnAcjnAmG.exeGet hashmaliciousBrowse
                              • 104.47.53.36
                              8X93Tzvd7V.exeGet hashmaliciousBrowse
                              • 52.101.24.0
                              u8A8Qy5S7O.exeGet hashmaliciousBrowse
                              • 104.47.53.36
                              SecuriteInfo.com.Mal.GandCrypt-A.24654.exeGet hashmaliciousBrowse
                              • 104.47.54.36
                              SecuriteInfo.com.Mal.GandCrypt-A.5674.exeGet hashmaliciousBrowse
                              • 104.47.54.36
                              SecuriteInfo.com.W32.AIDetect.malware2.29567.exeGet hashmaliciousBrowse
                              • 104.47.53.36
                              lsass(1).exeGet hashmaliciousBrowse
                              • 104.47.59.138
                              rtofwqxq.exeGet hashmaliciousBrowse
                              • 104.47.53.36
                              VufxYArno1.exeGet hashmaliciousBrowse
                              • 104.47.53.36
                              FRA-efz.ms-acdc.office.com8OKQ6ogGRx.dllGet hashmaliciousBrowse
                              • 40.101.81.162
                              dechert-Investment078867-xlsx.HtmlGet hashmaliciousBrowse
                              • 52.97.189.66
                              murexltd-Investment_265386-xlsx.htmlGet hashmaliciousBrowse
                              • 52.97.188.66
                              z2xQEFs54b.exeGet hashmaliciousBrowse
                              • 52.97.250.226
                              sgs-Investment974041-xlsx.HtmlGet hashmaliciousBrowse
                              • 40.101.19.162
                              roccor-invoice-648133_xls.HtMlGet hashmaliciousBrowse
                              • 52.97.200.162
                              redwirespace-invoice-982323_xls.HtMlGet hashmaliciousBrowse
                              • 40.101.12.82
                              prismcosec-invoice-647718_xls.HtMlGet hashmaliciousBrowse
                              • 40.101.81.130
                              E848.tmp.exeGet hashmaliciousBrowse
                              • 40.101.81.130
                              Payment.htmlGet hashmaliciousBrowse
                              • 52.97.250.194
                              Remittance advice.htmGet hashmaliciousBrowse
                              • 52.97.250.210
                              0G2gue8shl.exeGet hashmaliciousBrowse
                              • 52.97.176.2
                              February Payroll.xls.htmGet hashmaliciousBrowse
                              • 52.97.250.242
                              PURCHASE ORDER#34556558.exeGet hashmaliciousBrowse
                              • 52.97.200.178
                              Proforma Invoice.exeGet hashmaliciousBrowse
                              • 52.97.250.210
                              E-DEKONT.exeGet hashmaliciousBrowse
                              • 52.97.144.178
                              DHL Notification -AWB DHL-2021011293002.exeGet hashmaliciousBrowse
                              • 52.97.201.82
                              DHL DOCS.exeGet hashmaliciousBrowse
                              • 40.101.80.2
                              ORDER REQUEST.exeGet hashmaliciousBrowse
                              • 40.101.121.34
                              INVOICE.exeGet hashmaliciousBrowse
                              • 52.97.188.66

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              MICROSOFT-CORP-MSN-AS-BLOCKUS2f50000.exeGet hashmaliciousBrowse
                              • 52.141.33.89
                              609110f2d14a6.dllGet hashmaliciousBrowse
                              • 40.101.137.34
                              EBqJhAymeE.rtfGet hashmaliciousBrowse
                              • 157.55.173.72
                              QXfU5ZSUpd.exeGet hashmaliciousBrowse
                              • 20.194.35.6
                              813oo3jeWE.exeGet hashmaliciousBrowse
                              • 20.184.2.45
                              pog.exeGet hashmaliciousBrowse
                              • 40.124.7.222
                              8UsA.shGet hashmaliciousBrowse
                              • 20.233.3.158
                              pog.exeGet hashmaliciousBrowse
                              • 40.124.7.222
                              nT7K5GG5kmGet hashmaliciousBrowse
                              • 40.96.198.202
                              KnAY2OIPI3Get hashmaliciousBrowse
                              • 20.177.182.208
                              krJF4BtzSv.exeGet hashmaliciousBrowse
                              • 65.52.188.118
                              DSOneApp(1).exeGet hashmaliciousBrowse
                              • 40.126.31.141
                              INV 57474545.docGet hashmaliciousBrowse
                              • 65.52.188.118
                              kr.ps1Get hashmaliciousBrowse
                              • 204.79.197.200
                              JRyLnlTR1OGet hashmaliciousBrowse
                              • 20.176.121.146
                              New%20order%20contract.htmlGet hashmaliciousBrowse
                              • 52.98.175.2
                              ldr.shGet hashmaliciousBrowse
                              • 20.3.143.189
                              y6f8O0kbEB.exeGet hashmaliciousBrowse
                              • 65.52.188.118
                              confirm this order and sign PI.exeGet hashmaliciousBrowse
                              • 13.66.245.231
                              CMEpJtxLhf.exeGet hashmaliciousBrowse
                              • 52.168.94.29
                              MICROSOFT-CORP-MSN-AS-BLOCKUS2f50000.exeGet hashmaliciousBrowse
                              • 52.141.33.89
                              609110f2d14a6.dllGet hashmaliciousBrowse
                              • 40.101.137.34
                              EBqJhAymeE.rtfGet hashmaliciousBrowse
                              • 157.55.173.72
                              QXfU5ZSUpd.exeGet hashmaliciousBrowse
                              • 20.194.35.6
                              813oo3jeWE.exeGet hashmaliciousBrowse
                              • 20.184.2.45
                              pog.exeGet hashmaliciousBrowse
                              • 40.124.7.222
                              8UsA.shGet hashmaliciousBrowse
                              • 20.233.3.158
                              pog.exeGet hashmaliciousBrowse
                              • 40.124.7.222
                              nT7K5GG5kmGet hashmaliciousBrowse
                              • 40.96.198.202
                              KnAY2OIPI3Get hashmaliciousBrowse
                              • 20.177.182.208
                              krJF4BtzSv.exeGet hashmaliciousBrowse
                              • 65.52.188.118
                              DSOneApp(1).exeGet hashmaliciousBrowse
                              • 40.126.31.141
                              INV 57474545.docGet hashmaliciousBrowse
                              • 65.52.188.118
                              kr.ps1Get hashmaliciousBrowse
                              • 204.79.197.200
                              JRyLnlTR1OGet hashmaliciousBrowse
                              • 20.176.121.146
                              New%20order%20contract.htmlGet hashmaliciousBrowse
                              • 52.98.175.2
                              ldr.shGet hashmaliciousBrowse
                              • 20.3.143.189
                              y6f8O0kbEB.exeGet hashmaliciousBrowse
                              • 65.52.188.118
                              confirm this order and sign PI.exeGet hashmaliciousBrowse
                              • 13.66.245.231
                              CMEpJtxLhf.exeGet hashmaliciousBrowse
                              • 52.168.94.29

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):29272
                              Entropy (8bit):1.7690028446621529
                              Encrypted:false
                              SSDEEP:48:IwOGcprWGwpL3G/ap8vZGIpcKGYGvnZpvKcGomRqp9KXGo4qW1pmEjGWmzy1MGWu:rSZOZ/2vLWbt6AfPqW1MfODIL+TNRDB
                              MD5:7002C28F8DAFB19C321D8F3802742CAC
                              SHA1:10586DB11264F5FB282E742B7C439209155B4A41
                              SHA-256:AF3751488A7F551AE1A019B306EC610845E7424749F28AE6BF40C9F8BDFEC153
                              SHA-512:74ABC47BE2FA0394B397E0BCC83052452EC870C0141D01FF9CCAC3A284C556DD7464D9692CABAC3A64A7B015B5C5EC0A5153F528752C65ABC0D3F463CEF1D2DB
                              Malicious:false
                              Reputation:low
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:Microsoft Word Document
                              Category:dropped
                              Size (bytes):27440
                              Entropy (8bit):1.8692767005485296
                              Encrypted:false
                              SSDEEP:192:r+ZdQF6fkZj52dWxMN64GBKG7x4GBKGuA:rKiwcVI0Kguouq
                              MD5:8FA8A2AC554320BF7B927691D0E9AA33
                              SHA1:37BB604AF62C4236281E0640728FAB1A40E61068
                              SHA-256:5CFA609F2EE9DD30D833ADF282288AB25CBE0619EF014B63A2D71DD0636FD61E
                              SHA-512:DC3570C168CC2174D16E1908AAFB7C3C4BDD8E13192131EAFA8FB6F91D7E4717CFF5B49FC9B29F6E41D77A18388A53EFD7668760024C4603851EECE097196909
                              Malicious:false
                              Reputation:low
                              Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                              Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):89
                              Entropy (8bit):4.440534734931472
                              Encrypted:false
                              SSDEEP:3:oVXUWRFEfQRcS4T48JOGXnEWRFEfQRcS4uULun:o9UChcwqEChcS7
                              MD5:5B1B55767347E99D9DF8CFDEA6ABE92F
                              SHA1:21E2F35CA929750943C12141583CCA5D3EAB76A3
                              SHA-256:A93DEB522A49F2709E978A2F8F1B8A35FBF8B9EAFA8AF6499EC096BE71E0555A
                              SHA-512:B4FE7A36552EE0BF60DB9781C17B8A7F2E8B81D6C67B1480319C26C1E6B8D898AAC7C23374414E59594A65E67E4404BCBBDEE0EB22D9929EE6BD833EA1DBF570
                              Malicious:false
                              Reputation:low
                              Preview: [2021/05/04 18:54:05.717] Latest deploy version: ..[2021/05/04 18:54:05.717] 11.211.2 ..
                              C:\Users\user\AppData\Local\Temp\~DF0D80EB75D4D79339.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):39777
                              Entropy (8bit):0.6001466555757741
                              Encrypted:false
                              SSDEEP:192:kBqoxKAuqR+CkuH0S4GBKGz4GBKG/4GBKGE:kBqoxKAuqR+CkuH0SuWueuX
                              MD5:648119EC3976EFE617D1F81C477C1B69
                              SHA1:941D0AD9905FF41F28A51FC7463C7E80E63DFBAC
                              SHA-256:0AE66953DBE3EBBC42F7D50BFF3568F07E10D28C9205B89CBCADFA5FD327A0D4
                              SHA-512:3DD2AEF4769544D679FE1BCDF7D18408AE61C5070D1123914D46CC4AED5890D0F217B31AC77990A554A2ED7CE49D694030A85F17B9223D62516C97E765186ED5
                              Malicious:false
                              Reputation:low
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\~DF222070F69DD5E09D.TMP
                              Process:C:\Program Files\internet explorer\iexplore.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12933
                              Entropy (8bit):0.4101257122829776
                              Encrypted:false
                              SSDEEP:24:c9lLh9lLh9lIn9lIn9lof9lof9lWJatrFat5B:kBqoIAeo10fB
                              MD5:0182845E86B74629EC312B38783F6A31
                              SHA1:B0FBDA728E7F1458FF95368C850A0CC9F5C534B8
                              SHA-256:73172B66EC5FE590A7CC6F5F2CC197082ABCC57AF15A2943A739F91995081D4F
                              SHA-512:8FD0EEE8E84724EC60A73A512D834F87297AD6A40260A25C4EF97BD0CFE513B690B177164E351D32AAD994E1A12D211486826BCC5038CA629E4C65AED74745C5
                              Malicious:false
                              Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.549323607622641
                              TrID:
                              • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                              • Generic Win/DOS Executable (2004/3) 0.20%
                              • DOS Executable Generic (2002/1) 0.20%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:iJdlvBxhYu.dll
                              File size:523264
                              MD5:18d613d02eaf8d339feebb21f578f329
                              SHA1:01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
                              SHA256:bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
                              SHA512:a432ca4267f56530945e2dd352e658d72b3fc84101b84dcd86bc0adcf42e218e394556d6b69cec92cb30a960ce83586e8c026e971f02fa5154d100a198f1e4ce
                              SSDEEP:12288:CddaT8lLVrp6I7MsfHqWxSWlNTjGoLYTbgOJpXLH:Cddhp1YCMuFx/jGo0XL
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^.G.......T......AN.......V.......i.......h.....^.B...............l.......U.......R.......W.....Rich...........

                              File Icon

                              Icon Hash:74f0e4ecccdce0e4

                              Static PE Info

                              General

                              Entrypoint:0x104a38a
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x1000000
                              Subsystem:windows gui
                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x6089CC25 [Wed Apr 28 20:57:09 2021 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:61abfa6d76443dd7d018df0c9cf8b0a5

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              cmp dword ptr [ebp+0Ch], 01h
                              jne 00007FD0D4954B07h
                              call 00007FD0D495B0D4h
                              push dword ptr [ebp+10h]
                              push dword ptr [ebp+0Ch]
                              push dword ptr [ebp+08h]
                              call 00007FD0D4954B0Ch
                              add esp, 0Ch
                              pop ebp
                              retn 000Ch
                              push 0000000Ch
                              push 0107B4A8h
                              call 00007FD0D4955A1Ch
                              xor eax, eax
                              inc eax
                              mov esi, dword ptr [ebp+0Ch]
                              test esi, esi
                              jne 00007FD0D4954B0Eh
                              cmp dword ptr [0118E36Ch], esi
                              je 00007FD0D4954BEAh
                              and dword ptr [ebp-04h], 00000000h
                              cmp esi, 01h
                              je 00007FD0D4954B07h
                              cmp esi, 02h
                              jne 00007FD0D4954B37h
                              mov ecx, dword ptr [01075238h]
                              test ecx, ecx
                              je 00007FD0D4954B0Eh
                              push dword ptr [ebp+10h]
                              push esi
                              push dword ptr [ebp+08h]
                              call ecx
                              mov dword ptr [ebp-1Ch], eax
                              test eax, eax
                              je 00007FD0D4954BB7h
                              push dword ptr [ebp+10h]
                              push esi
                              push dword ptr [ebp+08h]
                              call 00007FD0D4954916h
                              mov dword ptr [ebp-1Ch], eax
                              test eax, eax
                              je 00007FD0D4954BA0h
                              mov ebx, dword ptr [ebp+10h]
                              push ebx
                              push esi
                              push dword ptr [ebp+08h]
                              call 00007FD0D4952376h
                              mov edi, eax
                              mov dword ptr [ebp-1Ch], edi
                              cmp esi, 01h
                              jne 00007FD0D4954B2Ah
                              test edi, edi
                              jne 00007FD0D4954B26h
                              push ebx
                              push eax
                              push dword ptr [ebp+08h]
                              call 00007FD0D495235Eh
                              push ebx
                              push edi
                              push dword ptr [ebp+08h]
                              call 00007FD0D49548DCh
                              mov eax, dword ptr [01075238h]
                              test eax, eax
                              je 00007FD0D4954B09h
                              push ebx
                              push edi
                              push dword ptr [ebp+08h]
                              call eax

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x7bbd00x58.rdata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x7bc280x64.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1910000x498.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1920000x2818.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x6b2000x38.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x7a9800x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x6b0000x1ac.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x6988d0x69a00False0.70416512574data6.62140187581IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .rdata0x6b0000x115e00x11600False0.471967738309data5.23669501131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x7d0000x1133000x1800False0.333984375data3.88700180982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rsrc0x1910000x4980x600False0.356119791667data2.99935790597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1920000x28180x2a00False0.743117559524data6.59705049508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_VERSION0x1910a00x35cdataEnglishUnited States
                              RT_MANIFEST0x1914000x91XML 1.0 document textEnglishUnited States

                              Imports

                              DLLImport
                              KERNEL32.dllFlushFileBuffers, GetConsoleCP, GetConsoleMode, SetEnvironmentVariableA, SetStdHandle, SetFilePointerEx, WriteConsoleW, CloseHandle, GetFileAttributesW, GetWindowsDirectoryW, CreateProcessW, OpenMutexW, VirtualProtectEx, EncodePointer, DecodePointer, HeapAlloc, GetSystemTimeAsFileTime, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, IsProcessorFeaturePresent, GetLastError, HeapFree, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, IsDebuggerPresent, GetTimeZoneInformation, SetLastError, GetCurrentThread, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, SetConsoleCtrlHandler, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, FreeLibrary, LoadLibraryExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, HeapReAlloc, OutputDebugStringW, GetStringTypeW, CreateFileW
                              USER32.dllGetPropW, CreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW
                              GDI32.dllMoveToEx, SetTextColor, SetBkMode, SetBkColor, LineTo, IntersectClipRect, GetClipBox, GetCharWidthW, CreateBitmap
                              COMCTL32.dllImageList_SetDragCursorImage, ImageList_Draw, PropertySheetW, CreatePropertySheetPageA

                              Exports

                              NameOrdinalAddress
                              Enterbeen10x1047ed0
                              Multiply20x1047fb0

                              Version Infos

                              DescriptionData
                              LegalCopyright Fingergeneral Corporation. All rights reserved
                              InternalNameProbable
                              FileVersion5.5.2.216 Sidedone
                              CompanyNameFingergeneral Corporation
                              ProductNameFingergeneral Wear twenty
                              ProductVersion5.5.2.216
                              FileDescriptionFingergeneral Wear twenty
                              OriginalFilenameturn.dll
                              Translation0x0409 0x04b0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              05/04/21-18:52:29.692083ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.727060ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                              05/04/21-18:52:29.727454ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.763162ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                              05/04/21-18:52:29.763557ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.799375ICMP449ICMP Time-To-Live Exceeded in Transit130.117.49.165192.168.2.6
                              05/04/21-18:52:29.800094ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.840838ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.18192.168.2.6
                              05/04/21-18:52:29.841596ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.888178ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.53192.168.2.6
                              05/04/21-18:52:29.888557ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.935589ICMP449ICMP Time-To-Live Exceeded in Transit154.54.56.190192.168.2.6
                              05/04/21-18:52:29.936007ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:29.981493ICMP449ICMP Time-To-Live Exceeded in Transit4.68.37.93192.168.2.6
                              05/04/21-18:52:29.981978ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:33.661732ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:37.677969ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:41.678428ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:46.273239ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:50.163683ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:54.183288ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:52:58.210718ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:02.180671ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:06.166018ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:10.165814ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:14.165998ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:18.170708ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:22.187264ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:26.185740ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:30.169625ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:34.182432ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:38.621192ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:42.637472ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:46.627649ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:50.623633ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:54.618741ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:53:59.048851ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:02.619742ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:06.619825ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:10.620244ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:14.620372ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:18.627035ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:22.627997ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:26.622060ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:30.622421ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:34.623800ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:38.622781ICMP384ICMP PING192.168.2.68.238.27.126
                              05/04/21-18:54:42.626771ICMP384ICMP PING192.168.2.68.238.27.126

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 4, 2021 18:54:06.545804977 CEST4972580192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.545804024 CEST4972680192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.689771891 CEST804972640.97.128.194192.168.2.6
                              May 4, 2021 18:54:06.689989090 CEST4972680192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.690716028 CEST4972680192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.691628933 CEST804972540.97.128.194192.168.2.6
                              May 4, 2021 18:54:06.691734076 CEST4972580192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.838143110 CEST804972640.97.128.194192.168.2.6
                              May 4, 2021 18:54:06.838278055 CEST4972680192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.838489056 CEST4972680192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.846282005 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:06.982461929 CEST804972640.97.128.194192.168.2.6
                              May 4, 2021 18:54:06.992594004 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:06.992799997 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.001812935 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.150540113 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:07.150578022 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:07.150607109 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:07.150631905 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.150660038 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.188564062 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.195911884 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.338144064 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:07.338247061 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.346502066 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:07.346637011 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.347060919 CEST49727443192.168.2.640.97.128.194
                              May 4, 2021 18:54:07.414005995 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.414077997 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.463756084 CEST4434972952.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.463836908 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.463890076 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.463932991 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.464896917 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.465254068 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.492871046 CEST4434972740.97.128.194192.168.2.6
                              May 4, 2021 18:54:07.514828920 CEST4434972952.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.514866114 CEST4434972952.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.514894009 CEST4434972952.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.514909029 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.514928102 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.514945030 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.515085936 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.515105963 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.515187025 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.525580883 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.525724888 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.526541948 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.575365067 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.575416088 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.575449944 CEST4434972952.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.575480938 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.575510979 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.578187943 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.578321934 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.578660965 CEST49728443192.168.2.652.97.150.2
                              May 4, 2021 18:54:07.627228022 CEST4434972852.97.150.2192.168.2.6
                              May 4, 2021 18:54:07.639496088 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.639502048 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.686299086 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.686391115 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.687308073 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.692817926 CEST4434973152.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.693005085 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.703771114 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.734812975 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.734844923 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.734864950 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.735014915 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.745953083 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.746764898 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.757808924 CEST4434973152.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.757838011 CEST4434973152.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.757853985 CEST4434973152.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.757935047 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.758002996 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.764975071 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.793373108 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.793854952 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.793988943 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.799103975 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.799125910 CEST4434973052.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.799235106 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:07.819248915 CEST4434973152.97.201.82192.168.2.6
                              May 4, 2021 18:54:07.819401026 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:08.096868038 CEST4434973152.97.201.82192.168.2.6
                              May 4, 2021 18:54:08.097042084 CEST49731443192.168.2.652.97.201.82
                              May 4, 2021 18:54:08.861166954 CEST4972580192.168.2.640.97.128.194
                              May 4, 2021 18:54:08.861208916 CEST49730443192.168.2.652.97.201.82
                              May 4, 2021 18:54:08.861330986 CEST49729443192.168.2.652.97.150.2
                              May 4, 2021 18:54:08.861331940 CEST49731443192.168.2.652.97.201.82

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              May 4, 2021 18:52:22.970918894 CEST6379153192.168.2.68.8.8.8
                              May 4, 2021 18:52:23.019690037 CEST53637918.8.8.8192.168.2.6
                              May 4, 2021 18:52:23.403167009 CEST6426753192.168.2.68.8.8.8
                              May 4, 2021 18:52:23.463300943 CEST53642678.8.8.8192.168.2.6
                              May 4, 2021 18:52:24.167635918 CEST4944853192.168.2.68.8.8.8
                              May 4, 2021 18:52:24.216428041 CEST53494488.8.8.8192.168.2.6
                              May 4, 2021 18:52:24.945031881 CEST6034253192.168.2.68.8.8.8
                              May 4, 2021 18:52:24.996774912 CEST53603428.8.8.8192.168.2.6
                              May 4, 2021 18:52:26.020801067 CEST6134653192.168.2.68.8.8.8
                              May 4, 2021 18:52:26.069710016 CEST53613468.8.8.8192.168.2.6
                              May 4, 2021 18:52:27.312602997 CEST5177453192.168.2.68.8.8.8
                              May 4, 2021 18:52:27.361246109 CEST53517748.8.8.8192.168.2.6
                              May 4, 2021 18:52:28.160480022 CEST5602353192.168.2.68.8.8.8
                              May 4, 2021 18:52:28.209218025 CEST53560238.8.8.8192.168.2.6
                              May 4, 2021 18:52:29.012883902 CEST5838453192.168.2.68.8.8.8
                              May 4, 2021 18:52:29.072856903 CEST53583848.8.8.8192.168.2.6
                              May 4, 2021 18:52:29.475900888 CEST6026153192.168.2.68.8.8.8
                              May 4, 2021 18:52:29.690892935 CEST53602618.8.8.8192.168.2.6
                              May 4, 2021 18:52:29.991524935 CEST5606153192.168.2.68.8.8.8
                              May 4, 2021 18:52:30.040215015 CEST53560618.8.8.8192.168.2.6
                              May 4, 2021 18:52:30.890821934 CEST5833653192.168.2.68.8.8.8
                              May 4, 2021 18:52:30.939558983 CEST53583368.8.8.8192.168.2.6
                              May 4, 2021 18:53:22.466109037 CEST5378153192.168.2.68.8.8.8
                              May 4, 2021 18:53:22.523046017 CEST53537818.8.8.8192.168.2.6
                              May 4, 2021 18:53:23.511240959 CEST5406453192.168.2.68.8.8.8
                              May 4, 2021 18:53:23.568932056 CEST53540648.8.8.8192.168.2.6
                              May 4, 2021 18:53:49.129221916 CEST5281153192.168.2.68.8.8.8
                              May 4, 2021 18:53:49.194948912 CEST53528118.8.8.8192.168.2.6
                              May 4, 2021 18:53:49.752892971 CEST5529953192.168.2.68.8.8.8
                              May 4, 2021 18:53:49.804584980 CEST53552998.8.8.8192.168.2.6
                              May 4, 2021 18:53:52.110009909 CEST6374553192.168.2.68.8.8.8
                              May 4, 2021 18:53:52.170139074 CEST53637458.8.8.8192.168.2.6
                              May 4, 2021 18:54:02.225565910 CEST5005553192.168.2.68.8.8.8
                              May 4, 2021 18:54:02.287480116 CEST53500558.8.8.8192.168.2.6
                              May 4, 2021 18:54:05.205369949 CEST6137453192.168.2.68.8.8.8
                              May 4, 2021 18:54:05.264559984 CEST53613748.8.8.8192.168.2.6
                              May 4, 2021 18:54:06.474169970 CEST5033953192.168.2.68.8.8.8
                              May 4, 2021 18:54:06.525335073 CEST53503398.8.8.8192.168.2.6
                              May 4, 2021 18:54:07.356297970 CEST6330753192.168.2.68.8.8.8
                              May 4, 2021 18:54:07.405424118 CEST53633078.8.8.8192.168.2.6
                              May 4, 2021 18:54:07.588264942 CEST4969453192.168.2.68.8.8.8
                              May 4, 2021 18:54:07.637008905 CEST53496948.8.8.8192.168.2.6
                              May 4, 2021 18:54:25.366008043 CEST5498253192.168.2.68.8.8.8
                              May 4, 2021 18:54:25.414696932 CEST53549828.8.8.8192.168.2.6
                              May 4, 2021 18:54:32.429203033 CEST5001053192.168.2.68.8.8.8
                              May 4, 2021 18:54:33.435081959 CEST5001053192.168.2.68.8.8.8
                              May 4, 2021 18:54:33.497840881 CEST53500108.8.8.8192.168.2.6
                              May 4, 2021 18:54:35.170659065 CEST6371853192.168.2.68.8.8.8
                              May 4, 2021 18:54:35.219465971 CEST53637188.8.8.8192.168.2.6
                              May 4, 2021 18:54:36.184983969 CEST6371853192.168.2.68.8.8.8
                              May 4, 2021 18:54:36.233985901 CEST53637188.8.8.8192.168.2.6
                              May 4, 2021 18:54:37.201193094 CEST6371853192.168.2.68.8.8.8
                              May 4, 2021 18:54:37.249866962 CEST53637188.8.8.8192.168.2.6
                              May 4, 2021 18:54:39.216440916 CEST6371853192.168.2.68.8.8.8
                              May 4, 2021 18:54:39.265095949 CEST53637188.8.8.8192.168.2.6
                              May 4, 2021 18:54:40.336675882 CEST6211653192.168.2.68.8.8.8
                              May 4, 2021 18:54:40.486478090 CEST53621168.8.8.8192.168.2.6
                              May 4, 2021 18:54:41.825098038 CEST6381653192.168.2.68.8.8.8
                              May 4, 2021 18:54:42.024085999 CEST53638168.8.8.8192.168.2.6
                              May 4, 2021 18:54:42.507457018 CEST5501453192.168.2.68.8.8.8
                              May 4, 2021 18:54:42.566903114 CEST53550148.8.8.8192.168.2.6
                              May 4, 2021 18:54:43.000472069 CEST6220853192.168.2.68.8.8.8
                              May 4, 2021 18:54:43.051908016 CEST53622088.8.8.8192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              May 4, 2021 18:54:06.474169970 CEST192.168.2.68.8.8.80xc384Standard query (0)outlook.comA (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.356297970 CEST192.168.2.68.8.8.80x97c4Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.588264942 CEST192.168.2.68.8.8.80x3bcaStandard query (0)outlook.office365.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              May 4, 2021 18:53:49.194948912 CEST8.8.8.8192.168.2.60x7009No error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.akadns.netCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                              May 4, 2021 18:54:06.525335073 CEST8.8.8.8192.168.2.60xc384No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)HHN-efz.ms-acdc.office.com52.97.150.2A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)HHN-efz.ms-acdc.office.com40.101.137.18A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)HHN-efz.ms-acdc.office.com52.97.233.18A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.405424118 CEST8.8.8.8192.168.2.60x97c4No error (0)HHN-efz.ms-acdc.office.com40.101.137.50A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.637008905 CEST8.8.8.8192.168.2.60x3bcaNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.637008905 CEST8.8.8.8192.168.2.60x3bcaNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.637008905 CEST8.8.8.8192.168.2.60x3bcaNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                              May 4, 2021 18:54:07.637008905 CEST8.8.8.8192.168.2.60x3bcaNo error (0)FRA-efz.ms-acdc.office.com52.97.201.82A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.637008905 CEST8.8.8.8192.168.2.60x3bcaNo error (0)FRA-efz.ms-acdc.office.com52.97.144.2A (IP address)IN (0x0001)
                              May 4, 2021 18:54:07.637008905 CEST8.8.8.8192.168.2.60x3bcaNo error (0)FRA-efz.ms-acdc.office.com52.97.170.34A (IP address)IN (0x0001)

                              HTTP Request Dependency Graph

                              • outlook.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.64972640.97.128.19480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              TimestampkBytes transferredDirectionData
                              May 4, 2021 18:54:06.690716028 CEST1192OUTGET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1
                              Accept: text/html, application/xhtml+xml, image/jxr, */*
                              Accept-Language: en-US
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                              Accept-Encoding: gzip, deflate
                              Host: outlook.com
                              Connection: Keep-Alive
                              May 4, 2021 18:54:06.838143110 CEST1192INHTTP/1.1 301 Moved Permanently
                              Cache-Control: no-cache
                              Pragma: no-cache
                              Location: https://outlook.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk
                              Server: Microsoft-IIS/10.0
                              request-id: 8a3df280-21c9-49ae-91ea-af755b4bfa8a
                              X-FEServer: DM5PR2201CA0020
                              X-RequestId: 90931448-0ba3-4c8d-8c41-ca4c654f378b
                              X-Powered-By: ASP.NET
                              X-FEServer: DM5PR2201CA0020
                              Date: Tue, 04 May 2021 16:54:06 GMT
                              Connection: close
                              Content-Length: 0


                              Code Manipulations

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Start time:18:52:30
                              Start date:04/05/2021
                              Path:C:\Windows\System32\loaddll32.exe
                              Wow64 process (32bit):true
                              Commandline:loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll'
                              Imagebase:0xa50000
                              File size:116736 bytes
                              MD5 hash:542795ADF7CC08EFCF675D65310596E8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:18:52:30
                              Start date:04/05/2021
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
                              Imagebase:0x2a0000
                              File size:232960 bytes
                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:18:52:30
                              Start date:04/05/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
                              Imagebase:0x1040000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:18:52:30
                              Start date:04/05/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
                              Imagebase:0x1040000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, Author: Joe Security
                              Reputation:high

                              General

                              Start time:18:52:33
                              Start date:04/05/2021
                              Path:C:\Windows\SysWOW64\rundll32.exe
                              Wow64 process (32bit):true
                              Commandline:rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
                              Imagebase:0x1040000
                              File size:61952 bytes
                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:18:54:04
                              Start date:04/05/2021
                              Path:C:\Program Files\internet explorer\iexplore.exe
                              Wow64 process (32bit):false
                              Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                              Imagebase:0x7ff721e20000
                              File size:823560 bytes
                              MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              General

                              Start time:18:54:04
                              Start date:04/05/2021
                              Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
                              Imagebase:0x40000
                              File size:822536 bytes
                              MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Disassembly

                              Code Analysis

                              Reset < >