Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 5.dll

Overview

General Information

Sample Name:5.dll
Analysis ID:445164
MD5:fceb6a51be4205d11be1491f6e263cae
SHA1:0abb60d37fac49912172c5385ff58e049520eb53
SHA256:c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 2248 cmdline: loaddll32.exe 'C:\Users\user\Desktop\5.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5484 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 452 cmdline: rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1716 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2940 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3904 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5580 cmdline: rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 1900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3220 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5264 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000003.368989675.0000000000900000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 5.dllVirustotal: Detection: 22%Perma Link
            Machine Learning detection for sampleShow sources
            Source: 5.dllJoe Sandbox ML: detected
            Source: 5.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: 5.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, rundll32.exe

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49721 -> 40.97.116.82:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49721 -> 40.97.116.82:80
            Source: Joe Sandbox ViewIP Address: 52.97.144.2 52.97.144.2
            Source: Joe Sandbox ViewIP Address: 40.97.116.82 40.97.116.82
            Source: global trafficHTTP traffic detected: GET /grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: ~DF3A99C7AD2702480D.TMP.24.dr, {BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.drString found in binary or memory: https://outlook.office365.com/grower/GwIQZ7VTU_2B0dEDGXi3usO/98Jy_2Fhjs/9ADdwnOA_2BxxHdxk/bJ6tUkE3rK
            Source: ~DFBADD8EC8FEBD51BA.TMP.24.dr, {BD6AF35C-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.drString found in binary or memory: https://outlook.office365.com/grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC1A44 NtMapViewOfSection,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC1996 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC23A5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A75A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7B1A5 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC2184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDE17B0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF05E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF0DB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDFBE61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF4E00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE009C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF88B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A73EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDE17B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDF05E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDF0DB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDFBE61
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDF4E00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DE009C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDF88B7
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6DDF3290 appears 39 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DDF3290 appears 39 times
            Source: 5.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal84.troj.winDLL@18/7@6/5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD6AF35A-DF4A-11EB-90E5-ECF4BB570DC9}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF48F8DB99852E5824.TMPJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
            Source: 5.dllVirustotal: Detection: 22%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: 5.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, rundll32.exe
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC1BAC LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC2173 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC2120 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDEDE07 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF32D5 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE1C347 push eax; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE1C400 push eax; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7E0C7 push cs; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7E458 push ds; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7ABC0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7E163 push edx; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A7AF6F push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDEDE07 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDF32D5 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DE1C400 push eax; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DE1C347 push eax; ret
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDFAFAC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDFAFAC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC1BAC LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE1E2D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE1E207 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DE1DE0E push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DE1E2D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DE1E207 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DE1DE0E push dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDF3484 GetProcessHeap,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDEFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6DDEFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
            Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A79135 cpuid
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
            Source: C:\Windows\System32\loaddll32.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_02A79135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6DDC1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information21NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 445164 Sample: 5.dll Startdate: 07/07/2021 Architecture: WINDOWS Score: 84 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 53 2->10         started        process3 signatures4 48 Writes or reads registry keys via WMI 7->48 50 Writes registry values via WMI 7->50 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        24 2 other processes 7->24 19 iexplore.exe 24 10->19         started        22 iexplore.exe 26 10->22         started        process5 dnsIp6 52 Writes registry values via WMI 12->52 26 rundll32.exe 15->26         started        28 HHN-efz.ms-acdc.office.com 40.101.137.98, 443, 49723, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->28 30 outlook.com 40.97.116.82, 443, 49720, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 36 5 other IPs or domains 19->36 32 52.97.144.2, 443, 49731, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 FRA-efz.ms-acdc.office.com 52.97.152.210, 443, 49729, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->34 38 4 other IPs or domains 22->38 signatures7 process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5.dll22%VirustotalBrowse
            5.dll100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.loaddll32.exe.c30000.0.unpack100%AviraHEUR/AGEN.1108168Download File
            3.2.rundll32.exe.2a70000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            outlook.com
            		40.97.116.82
            		truefalse
              		high
              HHN-efz.ms-acdc.office.com
              		40.101.137.98
              		truefalse
                		high
                FRA-efz.ms-acdc.office.com
                		52.97.152.210
                		truefalse
                  		high
                  www.outlook.com
                  		unknown
                  		unknownfalse
                    		high
                    outlook.office365.com
                    		unknown
                    		unknownfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://outlook.office365.com/grower/GwIQZ7VTU_2B0dEDGXi3usO/98Jy_2Fhjs/9ADdwnOA_2BxxHdxk/bJ6tUkE3rK~DF3A99C7AD2702480D.TMP.24.dr, {BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.drfalse
                        		high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        40.101.137.98
                        		HHN-efz.ms-acdc.office.comUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                        52.97.152.210
                        		FRA-efz.ms-acdc.office.comUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                        52.97.144.2
                        		unknownUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                        52.97.233.2
                        		unknownUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                        40.97.116.82
                        		outlook.comUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                        General Information

                        Joe Sandbox Version:32.0.0 Black Diamond
                        Analysis ID:445164
                        Start date:07.07.2021
                        Start time:10:40:23
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:5.dll
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:31
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.troj.winDLL@18/7@6/5
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 13.4% (good quality ratio 12.6%)
                        • Quality average: 78.7%
                        • Quality standard deviation: 29.5%
                        HCA Information:
                        • Successful, ratio: 69%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .dll
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, conhost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 131.253.33.200, 13.107.22.200, 92.122.145.220, 13.64.90.137, 52.255.188.83, 13.107.5.88, 13.107.43.23, 23.35.236.56, 40.88.32.150, 20.82.210.154, 23.203.80.193, 23.216.77.209, 152.199.19.161
                        • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, l-0014.dc-msedge.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:42:35API Interceptor1x Sleep call for process: rundll32.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        52.97.152.210https://r0qp15r0b1rq05rrpbqbrpq5.s3-eu-west-1.amazonaws.com/Ap3dX.html#orderadmin@roku.comGet hashmaliciousBrowse
                          loader.exeGet hashmaliciousBrowse
                            https:\\bit.ly/2WRZ0S5#joyce.chay@milliken.comGet hashmaliciousBrowse
                              https://learn4fun.cz/domains/learn4fun.cz/ahgf36894we894jsd/voicemessage/Get hashmaliciousBrowse
                                52.97.144.2E848.tmp.exeGet hashmaliciousBrowse
                                  0G2gue8shl.exeGet hashmaliciousBrowse
                                    shipping_doc.exeGet hashmaliciousBrowse
                                      https://immense-bullfrog.10web.me/Get hashmaliciousBrowse
                                        https://projectcheckg.web.app/#taxes@abrholdings.comGet hashmaliciousBrowse
                                          ze99HWZnJK.exeGet hashmaliciousBrowse
                                            https://app.upthere.com/elnino/assets/pdfjs/viewer/ce6fefe64453f27791ffdf3afa5bbdadb5d75d7267b297b30b776a371de64e63/45b49d4fce909afc27225208cd0205c692535fc89a07ab840bb78533e2925460?view_id=e28c4043fb3f3e666cddd8b96543302e5bac6c21c762fba5b895a91a251f9b48&branch_id=52a27d4473c90b9b6d624d662ab8a832c97a3c384a2b776927ed4eccc24a1e0a?*35354689209358HvT35W1Sh3509mW81735BbW098QdbK09W1ShGet hashmaliciousBrowse
                                              https://bradyblocks.com/fob/Pro/onedauth/office/index.phpGet hashmaliciousBrowse
                                                https://u10269907.ct.sendgrid.net/wf/click?upn=7TnevfDNdxZp2Q3ysQ7X3oESB0-2FDPAHHGrCSuhANFl0RiIaXTQqc14zMc-2FpX9M8w_fxDop4UK-2FXWtvz-2Fo4SgBilCRDsINTKa-2BV6WoX7TCamBzN4Y3OFVxfYIFnMjo2oF0yanJFKyei-2FKbXVFZy2wWdw2BISVfQ0uuj040ducQ3e4x0ReqX-2BeavUyA3qBOBoptIxux6KHZnY0imx8tUJ6aPUBf7V4AQsKN3qI-2FJUs5ka5TGYo3JtEVvh56ieL-2BftMts8GVieoN5pgiQgMOSfl-2FS3as8UhjMRUwml-2Btsxw6bkw-3DGet hashmaliciousBrowse
                                                  52.97.233.2https://deatee00.z13.web.core.windows.net/#guyb@thomas.coGet hashmaliciousBrowse
                                                    40.97.116.822790000.dllGet hashmaliciousBrowse
                                                      2770174.dllGet hashmaliciousBrowse
                                                        60e40fb428612.dllGet hashmaliciousBrowse
                                                          zHUScMPOlZ.dllGet hashmaliciousBrowse
                                                            nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                              .exeGet hashmaliciousBrowse
                                                                82attachmen.exeGet hashmaliciousBrowse
                                                                  62lette.exeGet hashmaliciousBrowse
                                                                    5transcrip.exeGet hashmaliciousBrowse
                                                                      1message.exeGet hashmaliciousBrowse
                                                                        49instructio.exeGet hashmaliciousBrowse
                                                                          .exeGet hashmaliciousBrowse
                                                                            52DOCUMEN.exeGet hashmaliciousBrowse
                                                                              25messag.exeGet hashmaliciousBrowse
                                                                                fuck.exeGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  HHN-efz.ms-acdc.office.comPreOrder.exeGet hashmaliciousBrowse
                                                                                  • 52.97.201.2
                                                                                  2790000.dllGet hashmaliciousBrowse
                                                                                  • 52.97.201.50
                                                                                  2770174.dllGet hashmaliciousBrowse
                                                                                  • 52.98.175.18
                                                                                  60e40fb428612.dllGet hashmaliciousBrowse
                                                                                  • 52.97.201.18
                                                                                  zHUScMPOlZ.dllGet hashmaliciousBrowse
                                                                                  • 40.101.136.242
                                                                                  SwiftDocument.HTMLGet hashmaliciousBrowse
                                                                                  • 40.101.136.18
                                                                                  Xerox scan.htmlGet hashmaliciousBrowse
                                                                                  • 52.98.151.226
                                                                                  r.dllGet hashmaliciousBrowse
                                                                                  • 40.101.137.2
                                                                                  a9FUs89dWy.dllGet hashmaliciousBrowse
                                                                                  • 52.98.171.226
                                                                                  60b49bdd63509.dllGet hashmaliciousBrowse
                                                                                  • 40.101.137.50
                                                                                  nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                                                  • 52.97.201.34
                                                                                  nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                                                  • 52.97.233.66
                                                                                  kZcCqvNtWa.dllGet hashmaliciousBrowse
                                                                                  • 52.98.171.226
                                                                                  A5uTdwOwJ1.dllGet hashmaliciousBrowse
                                                                                  • 40.101.138.210
                                                                                  FuiZSHt8Hx.dllGet hashmaliciousBrowse
                                                                                  • 52.98.151.242
                                                                                  609a460e94791.tiff.dllGet hashmaliciousBrowse
                                                                                  • 52.97.201.34
                                                                                  iJdlvBxhYu.dllGet hashmaliciousBrowse
                                                                                  • 52.97.150.2
                                                                                  8OKQ6ogGRx.dllGet hashmaliciousBrowse
                                                                                  • 40.101.138.2
                                                                                  609110f2d14a6.dllGet hashmaliciousBrowse
                                                                                  • 40.101.137.34
                                                                                  New%20order%20contract.htmlGet hashmaliciousBrowse
                                                                                  • 52.98.175.2
                                                                                  outlook.comoEE058tCoG.exeGet hashmaliciousBrowse
                                                                                  • 40.93.207.1
                                                                                  2Bmv1UZL2m.exeGet hashmaliciousBrowse
                                                                                  • 52.101.24.0
                                                                                  oS4iWYYsx7.exeGet hashmaliciousBrowse
                                                                                  • 104.47.53.36
                                                                                  P4SRvI1baM.exeGet hashmaliciousBrowse
                                                                                  • 104.47.54.36
                                                                                  051y0i7M8q.exeGet hashmaliciousBrowse
                                                                                  • 40.93.207.0
                                                                                  lEbR9gFgLr.exeGet hashmaliciousBrowse
                                                                                  • 104.47.54.36
                                                                                  0OvBoFRzgC.exeGet hashmaliciousBrowse
                                                                                  • 104.47.54.36
                                                                                  A1qhcbngFV.exeGet hashmaliciousBrowse
                                                                                  • 104.47.54.36

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUSsud-life-mobcast.apkGet hashmaliciousBrowse
                                                                                  • 104.45.180.93
                                                                                  sud-life-outwork.apkGet hashmaliciousBrowse
                                                                                  • 104.45.180.93
                                                                                  Flwphoptcdyxlxhpejlfjgmsyzqkhoqweu.exeGet hashmaliciousBrowse
                                                                                  • 20.80.30.45
                                                                                  2790000.dllGet hashmaliciousBrowse
                                                                                  • 40.101.136.2
                                                                                  2770174.dllGet hashmaliciousBrowse
                                                                                  • 40.101.136.2
                                                                                  60e40fb428612.dllGet hashmaliciousBrowse
                                                                                  • 52.97.201.18
                                                                                  9cYXsscTTT.exeGet hashmaliciousBrowse
                                                                                  • 104.42.151.234
                                                                                  TestTakerSBBrowser.exeGet hashmaliciousBrowse
                                                                                  • 137.117.66.167
                                                                                  mJSDCeNxFi.exeGet hashmaliciousBrowse
                                                                                  • 40.88.32.150
                                                                                  oEE058tCoG.exeGet hashmaliciousBrowse
                                                                                  • 40.93.212.0
                                                                                  zHUScMPOlZ.dllGet hashmaliciousBrowse
                                                                                  • 40.97.116.82
                                                                                  hsIF8b0YX1.msiGet hashmaliciousBrowse
                                                                                  • 191.235.71.131
                                                                                  x86_x64_setup.exeGet hashmaliciousBrowse
                                                                                  • 104.43.193.48
                                                                                  h3hlbLDpl8.exeGet hashmaliciousBrowse
                                                                                  • 13.64.90.137
                                                                                  PAYMENT.HTMLGet hashmaliciousBrowse
                                                                                  • 13.71.84.154
                                                                                  JOB-in.line e.K.- Purchase Order 19600396 & 19600397.xlsx.exeGet hashmaliciousBrowse
                                                                                  • 13.82.24.228
                                                                                  y3sBoQe6u7.exeGet hashmaliciousBrowse
                                                                                  • 52.170.189.162
                                                                                  NC46O8xw5Z.exeGet hashmaliciousBrowse
                                                                                  • 52.170.189.162
                                                                                  input.06.21.docGet hashmaliciousBrowse
                                                                                  • 52.109.32.41
                                                                                  PaymentConfirmation.pdf.exeGet hashmaliciousBrowse
                                                                                  • 13.90.75.180

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD6AF35A-DF4A-11EB-90E5-ECF4BB570DC9}.dat
                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                  File Type:Microsoft Word Document
                                                                                  Category:dropped
                                                                                  Size (bytes):50344
                                                                                  Entropy (8bit):2.003853863777815
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:ryZlZW2OWEtfbfOq5KMvhqUhQAoxhHS7c3MVs7c8w7Uksw7UONvjaUntvHaaI1v8:ryZlZW2OWEtDfONMgbzJMj/N1tw/o7og
                                                                                  MD5:1B2C08B04283EF2331ACDE91B8BBCB4D
                                                                                  SHA1:43A807C8569A26885E912103F9D6D63547638D07
                                                                                  SHA-256:77E5A7867B6DA6BC138D8896ACB6DE61361F526F8CA51CE601A9E68DC95E6992
                                                                                  SHA-512:9FA7CD627AAEC7EF1B91992798BE68E7E8FA91E5D9390CD925E2E8457F3EF83B37C7EFCD81CDF11BA26FFBEE205828C74B771815C9A970451DC2178837BE0C59
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD6AF35C-DF4A-11EB-90E5-ECF4BB570DC9}.dat
                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                  File Type:Microsoft Word Document
                                                                                  Category:dropped
                                                                                  Size (bytes):27384
                                                                                  Entropy (8bit):1.848069425899241
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:rBZqQ+6sBSdj32DWuMyywBSlHGd9sRwBSlHGd9gSlZA:rBZqQ+6skdj32DWuMyyw2HK+Rw2HKLZA
                                                                                  MD5:ABBBABDCEF013C7360EF262DA94D0BB1
                                                                                  SHA1:7886E7C0D416567109ED45A58EB4C63AEC4DA13D
                                                                                  SHA-256:5F82BCE7575218FED78D6771274A7CE3F2F9450019B37CA1A44043E2DE1B67AD
                                                                                  SHA-512:8291D7D23C35B5B0F5B6A61C70D230968DBD70E0E1700EBC282F4B3F5291DBC87FEB2363F03A2E152C70AC4ADF2691F1F493798A41BB960CD8A6D3EF3CC31B24
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat
                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                  File Type:Microsoft Word Document
                                                                                  Category:dropped
                                                                                  Size (bytes):27376
                                                                                  Entropy (8bit):1.8498140810925014
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:rnZfQj6tBSHjp2BWBMXa6lBlfcFXgxlBlfcFXAl4A:rnZfQj6tkHjp2BWBMXa6lzfHxlzfb4A
                                                                                  MD5:E314AEEF8885724C4F91A74CBF288AAE
                                                                                  SHA1:C299E34AFACD5E67A2748443AE4F3D71D1213174
                                                                                  SHA-256:3DC9BB6E88346FF7285AA2B7BE18C8FA94331C42DD48253FBC3436DFB8BF4F00
                                                                                  SHA-512:5F8250CF15954ABC4BB60ACB1ACF7952D010260D8235530CE4EFD02F30391E33C9E2F50CB2997E1F86CD442A7F660D2FF01C482CEF93D11C50606E1598ECECB9
                                                                                  Malicious:false
                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                                                  Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:modified
                                                                                  Size (bytes):89
                                                                                  Entropy (8bit):4.429518442893874
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:oVXUdUbXIyB8JOGXnEdUbXIy6j+n:o9UVQqEVi
                                                                                  MD5:7551EDFC2A095038308DE03A979AEA3B
                                                                                  SHA1:28A3E4408ABBD841E14B80C82D712894D7480A73
                                                                                  SHA-256:FD0B2F23730CC3AAAFEB969CE5AFF07BAD4CA1EDA987671346FE6513CB7AFDD6
                                                                                  SHA-512:96F41AF45753FAFA2DAA35022B02841153EE8C98894ED530A8F16C72B5FC7774FDEF2C0A8211843F4059E613087DB806F685CE058F6B9C782AAB30614607EA12
                                                                                  Malicious:false
                                                                                  Preview: [2021/07/07 10:42:49.331] Latest deploy version: ..[2021/07/07 10:42:49.331] 11.211.2 ..
                                                                                  C:\Users\user\AppData\Local\Temp\~DF3A99C7AD2702480D.TMP
                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):39649
                                                                                  Entropy (8bit):0.5767042893555584
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:kBqoxKAuvScS+NTRwzRlBlfcFX2lBlfcFX+lBlfcFX3:kBqoxKAuqR+NTRwzRlzfrlzf3lzf8
                                                                                  MD5:5E4E8D633EEC37451CA584FB977CD2A3
                                                                                  SHA1:F2FDC159F116F1F666876081CD57C21FF4D6F629
                                                                                  SHA-256:54912DA24BE3C7F0278AFF9A7FA3748F20BB70B7A444BB6D36219E8F5BAF910E
                                                                                  SHA-512:7E54E62E35EB7DF22657B5BD7374BF2634C9C0DBFFD8497175740591CB19AE20193A72555931D96A1B958AC9333606CE6D4A9264F4B10EC2A5DB786A015AF97C
                                                                                  Malicious:false
                                                                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\~DF48F8DB99852E5824.TMP
                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):13237
                                                                                  Entropy (8bit):0.6015770581866133
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:c9lLh9lLh9lIn9lIn9lo59loZ9lWN5iG5PA:kBqoIC8N5iG5PA
                                                                                  MD5:48DB8549900DAE5BC2552D048ED02C3F
                                                                                  SHA1:6C535A402C05BF8FEFC3500973D9F4393FC67277
                                                                                  SHA-256:3DB755B3A9C5F18FE0694056E963504C59603244F11C801A72991E62CA219BC6
                                                                                  SHA-512:0792497457374046404D96816FCA01748D62D3CC87FA6E5AC22B3593D55E707E89A2EE3FEA72DC7C07A6ED6D27944FF062C781B334E06C7A871A88AFBF418890
                                                                                  Malicious:false
                                                                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                  C:\Users\user\AppData\Local\Temp\~DFBADD8EC8FEBD51BA.TMP
                                                                                  Process:C:\Program Files\internet explorer\iexplore.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):39665
                                                                                  Entropy (8bit):0.576637477758457
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:kBqoxKAuvScS+uoCLYewBSlHGd9uwBSlHGd9+wBSlHGd93:kBqoxKAuqR+uoCLYew2HK0w2HK0w2HK1
                                                                                  MD5:3252CDAF94741DE42A0C2C0887F7B2AA
                                                                                  SHA1:917057587119E9A2610A30B1F1538C94B99E6179
                                                                                  SHA-256:DBDD2E68C5A55AD1E178E0860709F5D0AB2205E30D8D0FF184B95D39DD820087
                                                                                  SHA-512:15321A223617B5C9296F57B79AAF13884F8427488F380BE084BA9A19BF9EBA0C4B0518D6D9F4D0B3EEE6C3FD31795D593F8DBD107ADB8C865CABA1F13C9B1887
                                                                                  Malicious:false
                                                                                  Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                  Entropy (8bit):7.907972335888756
                                                                                  TrID:
                                                                                  • Win32 Dynamic Link Library (generic) (1002004/3) 96.66%
                                                                                  • UPX compressed Win32 Executable (30571/9) 2.95%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.19%
                                                                                  • DOS Executable Generic (2002/1) 0.19%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:5.dll
                                                                                  File size:227342
                                                                                  MD5:fceb6a51be4205d11be1491f6e263cae
                                                                                  SHA1:0abb60d37fac49912172c5385ff58e049520eb53
                                                                                  SHA256:c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
                                                                                  SHA512:0dd278f5499a28f3ae536fd1870cbedbfb1da34f07d9210f09b86c5167d04be4f0eb1ffbcb922d3b01afe83cf9cd9f620e5c4abf0a27a569c954e6d7cc9451e7
                                                                                  SSDEEP:3072:Ndmt0uTpBxy1mXhKvuE3GThWccntEvAJjHPLpvLHMwsJyV/vl5PX8J/g9vN:N85ykhKWE3UhwmMjjpvjMwskD5f8JsvN
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~@........................................D...................................................Rich............PE..L......S...

                                                                                  File Icon

                                                                                  Icon Hash:74f0e4ecccdce0e4

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x10facd0
                                                                                  Entrypoint Section:UPX1
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x1000000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                  Time Stamp:0x5396CBB2 [Tue Jun 10 09:11:14 2014 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:6
                                                                                  OS Version Minor:0
                                                                                  File Version Major:6
                                                                                  File Version Minor:0
                                                                                  Subsystem Version Major:6
                                                                                  Subsystem Version Minor:0
                                                                                  Import Hash:ea5307b4a63215686c0cdc83cff5fcba

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  cmp byte ptr [esp+08h], 00000001h
                                                                                  jne 00007FA454D122CFh
                                                                                  pushad
                                                                                  mov esi, 010C4000h
                                                                                  lea edi, dword ptr [esi-000C3000h]
                                                                                  push edi
                                                                                  jmp 00007FA454D12102h
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  nop
                                                                                  mov al, byte ptr [esi]
                                                                                  inc esi
                                                                                  mov byte ptr [edi], al
                                                                                  inc edi
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  jc 00007FA454D120DFh
                                                                                  mov eax, 00000001h
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  adc eax, eax
                                                                                  add ebx, ebx
                                                                                  jnc 00007FA454D120FDh
                                                                                  jne 00007FA454D1211Ah
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  jc 00007FA454D12111h
                                                                                  dec eax
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  adc eax, eax
                                                                                  jmp 00007FA454D120C6h
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  adc ecx, ecx
                                                                                  jmp 00007FA454D12144h
                                                                                  xor ecx, ecx
                                                                                  sub eax, 03h
                                                                                  jc 00007FA454D12103h
                                                                                  shl eax, 08h
                                                                                  mov al, byte ptr [esi]
                                                                                  inc esi
                                                                                  xor eax, FFFFFFFFh
                                                                                  je 00007FA454D12167h
                                                                                  sar eax, 1
                                                                                  mov ebp, eax
                                                                                  jmp 00007FA454D120FDh
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  jc 00007FA454D120BEh
                                                                                  inc ecx
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  jc 00007FA454D120B0h
                                                                                  add ebx, ebx
                                                                                  jne 00007FA454D120F9h
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  adc ecx, ecx
                                                                                  add ebx, ebx
                                                                                  jnc 00007FA454D120E1h
                                                                                  jne 00007FA454D120FBh
                                                                                  mov ebx, dword ptr [esi]
                                                                                  sub esi, FFFFFFFCh
                                                                                  adc ebx, ebx
                                                                                  jnc 00007FA454D120D6h
                                                                                  add ecx, 02h
                                                                                  cmp ebp, 00000000h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [EXP] VS2013 UPD3 build 30723
                                                                                  • [LNK] VS2013 UPD3 build 30723
                                                                                  • [ C ] VS2013 build 21005
                                                                                  • [C++] VS2013 build 21005
                                                                                  • [ASM] VS2013 build 21005
                                                                                  • [C++] VS2013 UPD3 build 30723
                                                                                  • [RES] VS2013 build 21005
                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0xfb2b40x80.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xfb1dc0xd8.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xfb0000x1dc.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xfb3340x10.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xfaebc0x48UPX1
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  UPX00x10000xc30000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  UPX10xc40000x370000x37000False0.987744140625data7.91565633635IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0xfb0000x10000x400False0.490234375data4.47756536718IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountry
                                                                                  RT_MANIFEST0xfb05c0x17dXML 1.0 document textEnglishUnited States

                                                                                  Imports

                                                                                  DLLImport
                                                                                  GDI32.dllPatBlt
                                                                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect
                                                                                  USER32.dllGetWindowRect

                                                                                  Exports

                                                                                  NameOrdinalAddress
                                                                                  Clockcondition10x1021070
                                                                                  Dogwhen20x1021fa0
                                                                                  Sing30x1022080
                                                                                  Wholegray40x1022270

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Snort IDS Alerts

                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                  07/07/21-10:42:51.274973TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4972180192.168.2.540.97.116.82
                                                                                  07/07/21-10:42:51.274973TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4972180192.168.2.540.97.116.82

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jul 7, 2021 10:42:51.090818882 CEST4972080192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.090912104 CEST4972180192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.272027016 CEST804972140.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:51.272280931 CEST4972180192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.272367954 CEST804972040.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:51.272512913 CEST4972080192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.274972916 CEST4972180192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.455990076 CEST804972140.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:51.456219912 CEST4972180192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.456922054 CEST4972180192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.494256020 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.636159897 CEST804972140.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:51.676846981 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:51.680841923 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:51.827325106 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.014647961 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:52.014681101 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:52.014705896 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:52.014846087 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.014877081 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.081208944 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.093198061 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.265033007 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:52.265264988 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.278367996 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:52.278536081 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.376544952 CEST49722443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:52.559003115 CEST4434972240.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.386189938 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.387068033 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.435702085 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.435808897 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.436583996 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.436794996 CEST4434972440.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.436893940 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.437544107 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.486001015 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.486032963 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.486056089 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.486118078 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.486159086 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.497411013 CEST4434972440.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.497447968 CEST4434972440.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.497472048 CEST4434972440.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.497551918 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.497587919 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.499181032 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.499806881 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.506491899 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.546751022 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.547455072 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.547595978 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.549876928 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.549968958 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.550431967 CEST49723443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.554781914 CEST4434972440.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.555263996 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:53.597332954 CEST4434972340.101.137.98192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.063404083 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.063575029 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.110462904 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.110488892 CEST4434972652.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.110635042 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.112159014 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.115689993 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.116274118 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.163465977 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.163490057 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.163506031 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.163583040 CEST4434972652.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.163592100 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.163613081 CEST4434972652.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.163621902 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.163638115 CEST4434972652.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.163681030 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.163696051 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.547020912 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.547854900 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.569293022 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.600734949 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.601027966 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.601119995 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.619752884 CEST4434972652.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.619885921 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:54.623085976 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.623105049 CEST4434972552.97.233.2192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.623250961 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:56.625698090 CEST49727443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:56.648083925 CEST49728443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:56.718204975 CEST4972080192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:56.718823910 CEST49724443192.168.2.540.101.137.98
                                                                                  Jul 7, 2021 10:42:56.718935013 CEST49726443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:56.719031096 CEST49725443192.168.2.552.97.233.2
                                                                                  Jul 7, 2021 10:42:56.804682970 CEST4434972740.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:56.804963112 CEST49727443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:56.827092886 CEST4434972840.97.116.82192.168.2.5
                                                                                  Jul 7, 2021 10:42:56.827358007 CEST49728443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:56.850275040 CEST49728443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:56.850389004 CEST49727443192.168.2.540.97.116.82
                                                                                  Jul 7, 2021 10:42:57.031389952 CEST4434972840.97.116.82192.168.2.5

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Jul 7, 2021 10:41:06.493637085 CEST6434453192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:06.543250084 CEST53643448.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:07.554013014 CEST6206053192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:07.600009918 CEST53620608.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:07.859673023 CEST6180553192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:07.922938108 CEST53618058.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:08.033090115 CEST5479553192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:08.084286928 CEST53547958.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:08.444116116 CEST4955753192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:08.490957022 CEST53495578.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:10.187633991 CEST6173353192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:10.235408068 CEST53617338.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:11.916913033 CEST6544753192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:11.969238043 CEST53654478.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:13.034820080 CEST5244153192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:13.083679914 CEST53524418.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:14.300179005 CEST6217653192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:14.347477913 CEST53621768.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:50.303306103 CEST5973653192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:50.305263042 CEST5105853192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:50.305418968 CEST5263653192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:50.350764036 CEST53597368.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:50.353497028 CEST53526368.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:50.354608059 CEST53510588.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:41:50.467432022 CEST5959653192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:41:50.518011093 CEST53595968.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:22.293884039 CEST6529653192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:22.340636969 CEST53652968.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:23.517817974 CEST6318353192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:23.566267014 CEST53631838.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:24.820453882 CEST6015153192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:24.867818117 CEST53601518.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:25.943399906 CEST5696953192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:25.991075039 CEST53569698.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:32.901308060 CEST5516153192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:32.978351116 CEST53551618.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:48.833185911 CEST5475753192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:48.882189989 CEST53547578.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:51.021521091 CEST4999253192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST53499928.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:53.333837032 CEST6007553192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST53600758.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:54.000277042 CEST5501653192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST53550168.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:56.563894987 CEST6434553192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST53643458.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:57.276827097 CEST5712853192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST53571288.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:42:57.526649952 CEST5479153192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST53547918.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:05.758491039 CEST5046353192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:05.814879894 CEST53504638.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:14.342447042 CEST5039453192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:14.395380974 CEST53503948.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:18.729798079 CEST5853053192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:18.776760101 CEST53585308.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:19.727202892 CEST5853053192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:19.774288893 CEST53585308.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:20.740657091 CEST5853053192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:20.787770033 CEST53585308.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:22.740407944 CEST5853053192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:22.787152052 CEST53585308.8.8.8192.168.2.5
                                                                                  Jul 7, 2021 10:43:26.756454945 CEST5853053192.168.2.58.8.8.8
                                                                                  Jul 7, 2021 10:43:26.803472996 CEST53585308.8.8.8192.168.2.5

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                  Jul 7, 2021 10:42:51.021521091 CEST192.168.2.58.8.8.80xed2aStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.333837032 CEST192.168.2.58.8.8.80x696bStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.000277042 CEST192.168.2.58.8.8.80xf187Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.563894987 CEST192.168.2.58.8.8.80x2e0aStandard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.276827097 CEST192.168.2.58.8.8.80x6302Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.526649952 CEST192.168.2.58.8.8.80x49faStandard query (0)outlook.office365.comA (IP address)IN (0x0001)

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:51.070379019 CEST8.8.8.8192.168.2.50xed2aNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)HHN-efz.ms-acdc.office.com40.101.137.98A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)HHN-efz.ms-acdc.office.com52.98.175.18A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)HHN-efz.ms-acdc.office.com52.97.233.34A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:53.382605076 CEST8.8.8.8192.168.2.50x696bNo error (0)HHN-efz.ms-acdc.office.com52.97.150.2A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)HHN-efz.ms-acdc.office.com52.97.233.2A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)HHN-efz.ms-acdc.office.com52.98.171.242A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)HHN-efz.ms-acdc.office.com52.98.151.226A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:54.047828913 CEST8.8.8.8192.168.2.50xf187No error (0)HHN-efz.ms-acdc.office.com52.98.152.162A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:56.612906933 CEST8.8.8.8192.168.2.50x2e0aNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)FRA-efz.ms-acdc.office.com52.97.152.210A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)FRA-efz.ms-acdc.office.com40.101.19.146A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.325242996 CEST8.8.8.8192.168.2.50x6302No error (0)FRA-efz.ms-acdc.office.com40.101.83.194A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST8.8.8.8192.168.2.50x49faNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST8.8.8.8192.168.2.50x49faNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST8.8.8.8192.168.2.50x49faNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST8.8.8.8192.168.2.50x49faNo error (0)FRA-efz.ms-acdc.office.com52.97.144.2A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST8.8.8.8192.168.2.50x49faNo error (0)FRA-efz.ms-acdc.office.com52.97.163.2A (IP address)IN (0x0001)
                                                                                  Jul 7, 2021 10:42:57.574337959 CEST8.8.8.8192.168.2.50x49faNo error (0)FRA-efz.ms-acdc.office.com52.97.188.66A (IP address)IN (0x0001)

                                                                                  HTTP Request Dependency Graph

                                                                                  • outlook.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                  0192.168.2.54972140.97.116.8280C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                  TimestampkBytes transferredDirectionData
                                                                                  Jul 7, 2021 10:42:51.274972916 CEST1487OUTGET /grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow HTTP/1.1
                                                                                  Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                                                  Accept-Language: en-US
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                                                  Accept-Encoding: gzip, deflate
                                                                                  Host: outlook.com
                                                                                  Connection: Keep-Alive
                                                                                  Jul 7, 2021 10:42:51.455990076 CEST1488INHTTP/1.1 301 Moved Permanently
                                                                                  Cache-Control: no-cache
                                                                                  Pragma: no-cache
                                                                                  Location: https://outlook.com/grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow
                                                                                  Server: Microsoft-IIS/10.0
                                                                                  request-id: 52e0a7cb-8602-91df-81c1-2dcb70efe4dd
                                                                                  X-FEServer: MWHPR13CA0006
                                                                                  X-RequestId: 2526dedc-1dff-46a1-8916-d76af6eb2525
                                                                                  X-Powered-By: ASP.NET
                                                                                  X-FEServer: MWHPR13CA0006
                                                                                  Date: Wed, 07 Jul 2021 08:42:51 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 0


                                                                                  Code Manipulations

                                                                                  Statistics

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  Analysis Process: loaddll32.exe PID: 2248 Parent PID: 5648

                                                                                  General

                                                                                  Start time:10:41:12
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\System32\loaddll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:loaddll32.exe 'C:\Users\user\Desktop\5.dll'
                                                                                  Imagebase:0x1170000
                                                                                  File size:116736 bytes
                                                                                  MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  Reputation:high

                                                                                  Analysis Process: cmd.exe PID: 5484 Parent PID: 2248

                                                                                  General

                                                                                  Start time:10:41:12
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
                                                                                  Imagebase:0x150000
                                                                                  File size:232960 bytes
                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: rundll32.exe PID: 1716 Parent PID: 2248

                                                                                  General

                                                                                  Start time:10:41:13
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
                                                                                  Imagebase:0x960000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: rundll32.exe PID: 452 Parent PID: 5484

                                                                                  General

                                                                                  Start time:10:41:13
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
                                                                                  Imagebase:0x960000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, Author: Joe Security
                                                                                  Reputation:high

                                                                                  Analysis Process: rundll32.exe PID: 2940 Parent PID: 2248

                                                                                  General

                                                                                  Start time:10:41:17
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen
                                                                                  Imagebase:0x960000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: rundll32.exe PID: 3904 Parent PID: 2248

                                                                                  General

                                                                                  Start time:10:41:23
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\5.dll,Sing
                                                                                  Imagebase:0x960000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: rundll32.exe PID: 5580 Parent PID: 2248

                                                                                  General

                                                                                  Start time:10:41:28
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray
                                                                                  Imagebase:0x960000
                                                                                  File size:61952 bytes
                                                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: iexplore.exe PID: 1900 Parent PID: 792

                                                                                  General

                                                                                  Start time:10:42:47
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Program Files\internet explorer\iexplore.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                                                  Imagebase:0x7ff762e70000
                                                                                  File size:823560 bytes
                                                                                  MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: iexplore.exe PID: 3220 Parent PID: 1900

                                                                                  General

                                                                                  Start time:10:42:48
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2
                                                                                  Imagebase:0xf40000
                                                                                  File size:822536 bytes
                                                                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Analysis Process: iexplore.exe PID: 5264 Parent PID: 1900

                                                                                  General

                                                                                  Start time:10:42:53
                                                                                  Start date:07/07/2021
                                                                                  Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2
                                                                                  Imagebase:0xf40000
                                                                                  File size:822536 bytes
                                                                                  MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high

                                                                                  Disassembly

                                                                                  Code Analysis

                                                                                  Reset < >