Loading ...

Play interactive tourEdit tour

Windows Analysis Report d7b.dll

Overview

General Information

Sample Name:d7b.dll
Analysis ID:446419
MD5:d7b3fe9b94d3896df9d9f77b37adbf37
SHA1:6b71978633aa2f91c15ef48eaf3cc4dd54ea7dd0
SHA256:f7a1ecdd925fd1e03ff08f547b24a10e64a5996060feab65e77f6ca0339b6a00
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5604 cmdline: loaddll32.exe 'C:\Users\user\Desktop\d7b.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3180 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6136 cmdline: rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5672 cmdline: rundll32.exe C:\Users\user\Desktop\d7b.dll,Moleculenotice MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5640 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5532 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5548 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 7080 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5572 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6168 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5248 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5392 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 5468 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: d7b.dllAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: d7b.dllMetadefender: Detection: 37%Perma Link
            Source: d7b.dllReversingLabs: Detection: 62%
            Machine Learning detection for sampleShow sources
            Source: d7b.dllJoe Sandbox ML: detected
            Source: d7b.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: d7b.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\Paint\Baby\String\Felt\beauty\little\mindclock.pdb source: loaddll32.exe, 00000000.00000002.596728829.000000006D989000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.597761911.000000006D989000.00000002.00020000.sdmp, d7b.dll

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49724 -> 172.217.168.78:80
            Performs DNS queries to domains with low reputationShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: ooakieyrc.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: ooakieyrc.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: ooakieyrc.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: ooakieyrc.xyz
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownTCP traffic detected without corresponding DNS query: 81.92.202.190
            Source: unknownDNS traffic detected: queries for: ooakieyrc.xyz
            Source: {73AF0670-E104-11EB-90E5-ECF4BB2D2496}.dat.27.drString found in binary or memory: http://81.92.202.190/images/6_2Bfi3b1BN36VCLTJu/7xXAKaMrEwHuufQ0qCrZ8t/2MLMlwG9w9jdT/PNPs5keC/50Od9L
            Source: {73AF066E-E104-11EB-90E5-ECF4BB2D2496}.dat.27.drString found in binary or memory: http://81.92.202.190/images/Rv8GrTLYptzSKPZ/L4_2FdPuwtqV2xQNJp/z_2FfwkAJ/Fv_2BGyCrahYt_2FNGpY/ghlbjT
            Source: {4867C43C-E104-11EB-90E5-ECF4BB2D2496}.dat.9.drString found in binary or memory: http://google.com/images/D2C5vfrSqC9/0QY2E5fyBElqGL/KexG_2Fvw2ZjPL7Hw1vAC/yIiJSAPDJ0pvzm0m/gq5wu0ciS
            Source: ~DF9E247E5B8AC6418E.TMP.9.dr, {4867C43E-E104-11EB-90E5-ECF4BB2D2496}.dat.9.drString found in binary or memory: http://google.com/images/nEH4fv80NMb6jmWf42s/yWPosL9TmLhv46sbdsSAla/6VrnHflFUDDQp/Fat6z6l3/7LJBcgRPk
            Source: {6381B6B0-E104-11EB-90E5-ECF4BB2D2496}.dat.21.drString found in binary or memory: http://ooakieyrc.xyz/images/7kc3AOalDAVrSC/miBJwAGiWQLur4VkluCOz/xRVn0UZ3CFv16_2B/wOU1EGTVWcgl78r/3l
            Source: {6381B6AE-E104-11EB-90E5-ECF4BB2D2496}.dat.21.drString found in binary or memory: http://ooakieyrc.xyz/images/X1oZp6Zj_2FwjdZ/GmHjDHWSzeA_2FTY8s/I0hYASmbJ/uk7yqg3FxgKimKg4iEaQ/oRj2iH

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D9722C9 NtQueryVirtualMemory,LdrInitializeThunk,0_2_6D9722C9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E84F66 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00E84F66
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B4F66 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_012B4F66
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01374F66 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_01374F66
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D9720A80_2_6D9720A8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E8A29C0_2_00E8A29C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E8541A0_2_00E8541A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B541A3_2_012B541A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012BA29C3_2_012BA29C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0137541A4_2_0137541A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0137A29C4_2_0137A29C
            Source: d7b.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: d7b.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal88.troj.winDLL@22/43@4/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4867C43A-E104-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCC73204E5D3290B9.TMPJump to behavior
            Source: d7b.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d7b.dll,Moleculenotice
            Source: d7b.dllMetadefender: Detection: 37%
            Source: d7b.dllReversingLabs: Detection: 62%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\d7b.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d7b.dll,Moleculenotice
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17414 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17414 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17414 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d7b.dll,MoleculenoticeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17414 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: d7b.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: d7b.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Paint\Baby\String\Felt\beauty\little\mindclock.pdb source: loaddll32.exe, 00000000.00000002.596728829.000000006D989000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.597761911.000000006D989000.00000002.00020000.sdmp, d7b.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D972097 push ecx; ret 0_2_6D9720A7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D972050 push ecx; ret 0_2_6D972059
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E8A28B push ecx; ret 0_2_00E8A29B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E89E40 push ecx; ret 0_2_00E89E49
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D9819AB pushad ; iretd 0_2_6D9819AE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D9809D7 push ebp; iretd 0_2_6D9809F2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D980093 pushad ; ret 0_2_6D9800A8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D981009 push ecx; retf 0_2_6D981086
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D981055 push ecx; retf 0_2_6D981086
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D9857C5 push ecx; ret 0_2_6D9857D8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D980204 pushad ; retf 0_2_6D980222
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D981278 pushad ; retn 0048h0_2_6D981279
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B9E40 push ecx; ret 3_2_012B9E49
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012BA28B push ecx; ret 3_2_012BA29B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01379E40 push ecx; ret 4_2_01379E49
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0137A28B push ecx; ret 4_2_0137A29B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D9819AB pushad ; iretd 4_2_6D9819AE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D9809D7 push ebp; iretd 4_2_6D9809F2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D980093 pushad ; ret 4_2_6D9800A8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D981009 push ecx; retf 4_2_6D981086
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D981055 push ecx; retf 4_2_6D981086
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D9857C5 push ecx; ret 4_2_6D9857D8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D980204 pushad ; retf 4_2_6D980222
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D981278 pushad ; retn 0048h4_2_6D981279
            Source: initial sampleStatic PE information: section name: .text entropy: 6.99787070557

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D983A00 GetProcessHeap,RtlAllocateHeap,GetTempPathA,GetSystemInfo,CreateSemaphoreA,0_2_6D983A00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D971D28 LdrInitializeThunk,0_2_6D971D28
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D983D72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D983D72
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D999212 mov eax, dword ptr fs:[00000030h]0_2_6D999212
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D998D5E push dword ptr fs:[00000030h]0_2_6D998D5E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D999148 mov eax, dword ptr fs:[00000030h]0_2_6D999148
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D999212 mov eax, dword ptr fs:[00000030h]4_2_6D999212
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D998D5E push dword ptr fs:[00000030h]4_2_6D998D5E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D999148 mov eax, dword ptr fs:[00000030h]4_2_6D999148
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D983A00 GetProcessHeap,RtlAllocateHeap,GetTempPathA,GetSystemInfo,CreateSemaphoreA,0_2_6D983A00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D97137F InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,0_2_6D97137F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E82DF4 RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,0_2_00E82DF4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D983D72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D983D72
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D985B8B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D985B8B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_012B2DF4 RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,3_2_012B2DF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_01372DF4 RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,4_2_01372DF4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D983D72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6D983D72
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D985B8B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6D985B8B
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E86E5B cpuid 0_2_00E86E5B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E82B9E GetSystemTimeAsFileTime,HeapFree,0_2_00E82B9E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00E86E5B GetUserNameW,RtlAllocateHeap,HeapFree,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00E86E5B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D971A98 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6D971A98

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSecurity Software Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery14Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java