Loading ...

Play interactive tourEdit tour

Windows Analysis Report c36.dll

Overview

General Information

Sample Name:c36.dll
Analysis ID:446420
MD5:c36ab737db2b6d11fb1f443f8117a7fa
SHA1:e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
SHA256:181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Performs DNS queries to domains with low reputation
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6856 cmdline: loaddll32.exe 'C:\Users\user\Desktop\c36.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6876 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6932 cmdline: rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6920 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6964 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Division MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6980 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7004 cmdline: rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 7064 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4788 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7064 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 244 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:244 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4780 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6676 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4780 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5592 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6188 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5592 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2016 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6324 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2016 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4624 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5604 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5432 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5060 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5432 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 14 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000007.00000003.741101990.0000000002F40000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: c36.dllVirustotal: Detection: 7%Perma Link
            Source: c36.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49790 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49791 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49792 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49800 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49806 version: TLS 1.2
            Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000000.00000002.1018511227.000000006D4DB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.1019307465.000000006D4DB000.00000002.00020000.sdmp, c36.dll

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49729 -> 40.97.128.194:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49729 -> 40.97.128.194:80
            Performs DNS queries to domains with low reputationShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: thyihjtkylhmhnypp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: thyihjtkylhmhnypp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: thyihjtkylhmhnypp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: DNS query: taybhctdyehfhgthp2.xyz
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: Joe Sandbox ViewIP Address: 52.97.186.114 52.97.186.114
            Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
            Source: global trafficHTTP traffic detected: GET /jdraw/OvXGpKzLxUlvc/5YmODYZ1/gEki0c5_2Bcj_2BJgBmclYf/4zl_2FiIGx/zg7_2FVzTFFpxQ0Zg/IVmTcFICtOu9/15kAqnW78YI/MXCY1lZONnEzVM/eyszldhHfL9FhdO1fFyz9/RRaqeJksBpKD0xlU/B2SSOZmmpvCp3sI/4IJYpEC_2BP8ptXo3E/E9fvTGTLb/WJ6m1MuHv/Uxoe1d.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFdYu/NG5HWnb0/vfvVzx4Doj88hqHzLS5VCB0/IRrw6ObYiX/1_2Fr33YbqAT9Ry0m/a_2FLfkuNA_2/F_2Fy3jjalf/Eg8brnQokZm55h/jGcurV8IMufIt7jFcTF99/whDSjKuT/g9l8UU7_2/B.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: mail.comConnection: Keep-Alive
            Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4f581423,0x01d774c7</date><accdate>0x4f581423,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4f581423,0x01d774c7</date><accdate>0x4f581423,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.15.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4f5f3b4c,0x01d774c7</date><accdate>0x4f5f3b4c,0x01d774c7</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: head.min[1].js.32.drString found in binary or memory: http://modernizr.com/download/?-csstransforms-csstransforms3d-csstransitions-flexbox-flexboxlegacy-f
            Source: picturefill.min[1].js.32.drString found in binary or memory: http://scottjehl.github.io/picturefill
            Source: loaddll32.exe, 00000000.00000003.885385904.0000000001014000.00000004.00000001.sdmp, ~DF5F3CA953B42C7490.TMP.24.dr, {93B4E602-E0BA-11EB-90EB-ECF4BBEA1588}.dat.24.drString found in binary or memory: http://taybhctdyehfhgthp2.xyz/jdraw/vPapbiz2Eh/ZPYySNPAkvOvIyVz2/tWl_2FHqiE2d/6ywtXMerrZg/ABJ_2FJE5Z
            Source: {A226C240-E0BA-11EB-90EB-ECF4BBEA1588}.dat.29.drString found in binary or memory: http://thyihjtkylhmhnypp2.xyz/jdraw/5aLAbJwTVae/qoEFd9apr89OcM/6ayYRQOOdtFpSwTDl2aq9/CqCbos6Cqnizb6H
            Source: msapplication.xml.15.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.15.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.15.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.15.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.15.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.15.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.15.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.15.drString found in binary or memory: http://www.youtube.com/
            Source: lt[1].htm.32.drString found in binary or memory: https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/11da4229-abbc-4e04-a16b-72fa8f1
            Source: lt[1].htm.32.drString found in binary or memory: https://cdn.cookielaw.org/logos/b1d060cc-fa13-4e1e-8a5e-fd705963d55b/662e5c67-1d13-450e-90e2-8ba98fb
            Source: lt[1].htm.32.drString found in binary or memory: https://cdn.cookielaw.org/vendorlist/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.1und1.de/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.at/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.ch/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.co.uk/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.com/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.es/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.fr/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.gmx.net/permission/oneTrust/
            Source: consentpage[1].htm.32.drString found in binary or memory: https://dl.mail.com/permission/live/v1/ppp/js/permission-client.js
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.mail.com/permission/oneTrust/
            Source: consentpage[1].htm.32.drString found in binary or memory: https://dl.mail.com/tcf/live/v1/js/tcf-api.js
            Source: lt[1].htm.32.drString found in binary or memory: https://dl.web.de/permission/oneTrust/
            Source: lt[1].htm.32.drString found in binary or memory: https://fonts.googleapis.com/css2?family=Roboto:ital
            Source: lt[1].htm.32.drString found in binary or memory: https://fonts.googleapis.com/css?family=Droid
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/droidsans/v12/SlGVmQWMvZQIdix7AFxXkHNSaw.woff)
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/droidsans/v12/SlGWmQWMvZQIdix7AFxXmMh3eDs1YQ.woff)
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/droidserif/v13/tDbK2oqRg1oM3QBjjcaDkOr4nAfcGA.woff)
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/droidserif/v13/tDbX2oqRg1oM3QBjjcaDkOr4lLz5CwOnTg.woff)
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/monda/v11/TK3gWkYFABsmjsLaGw8Enew.woff)
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
            Source: css[1].css.32.drString found in binary or memory: https://fonts.gstatic.com/s/shadowsintolight/v10/UqyNK9UOIntux_czAvDQx_ZcHqZXBNQzdcD_.woff)
            Source: url-polyfill[1].js.32.drString found in binary or memory: https://github.com/WebReflection/url-search-params/blob/master/src/url-search-params.js
            Source: url-polyfill[1].js.32.drString found in binary or memory: https://github.com/arv/DOM-URL-Polyfill/blob/master/src/url.js
            Source: bundle.min[1].js.32.drString found in binary or memory: https://github.com/getsentry/sentry-javascript
            Source: permission-client[1].js.32.drString found in binary or memory: https://github.com/js-cookie/js-cookie
            Source: picturefill.min[1].js.32.drString found in binary or memory: https://github.com/scottjehl/picturefill/blob/master/Authors.txt;
            Source: core[1].htm.32.drString found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/polyfills.min.js
            Source: core[1].htm.32.drString found in binary or memory: https://img.ui-portal.de/pos-cdn/tracklib/4.3.0/tracklib.min.js
            Source: B[1].htm.32.drString found in binary or memory: https://mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFdYu
            Source: lt[1].htm.32.drString found in binary or memory: https://mam-confluence.1and1.com/display/TDII/BRAIN-Tracking
            Source: lt[1].htm.32.drString found in binary or memory: https://my.onetrust.com/s/article/UUID-185d63b9-1094-a9d3-e684-bb1f155ae6ad
            Source: lt[1].htm.32.drString found in binary or memory: https://nct.ui-portal.de/mailcom/mailcom/s?
            Source: {B0214097-E0BA-11EB-90EB-ECF4BBEA1588}.dat.34.drString found in binary or memory: https://outlook.office365.com/jdraw/0SBJEaWj8uzaYO9/X2ZLyhcXhOBs13vUhk/uA0Mj7KPw/1hd_2FrDfFtdqWCbDdz
            Source: ~DF8670946C9A228354.TMP.15.dr, {79338731-E0BA-11EB-90EB-ECF4BBEA1588}.dat.15.drString found in binary or memory: https://outlook.office365.com/jdraw/OvXGpKzLxUlvc/5YmODYZ1/gEki0c5_2Bcj_2BJgBmclYf/4zl_2FiIGx/zg7_2F
            Source: {9AD72DED-E0BA-11EB-90EB-ECF4BBEA1588}.dat.27.drString found in binary or memory: https://outlook.office365.com/jdraw/xGbcxYlao6QybS/5qDDj85QhfUdCqg61IRxY/a3KKCFnPRTca1yiq/_2Fc_2FODy
            Source: consentpage[1].htm.32.drString found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/consent-management.js
            Source: consentpage[1].htm.32.drString found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/mailcom/spinner.gif
            Source: consentpage[1].htm.32.drString found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/mailcom/styles.css
            Source: consentpage[1].htm.32.drString found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/consent/main.js
            Source: consentpage[1].htm.32.drString found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/favicon.ico
            Source: imagestore.dat.31.drString found in binary or memory: https://s.uicdn.com/mailint/9.1725.0/assets/favicon.ico~
            Source: lt[1].htm.32.drString found in binary or memory: https://s.uicdn.com/permission/live/
            Source: core[1].htm.32.dr, lt[1].htm.32.drString found in binary or memory: https://s.uicdn.com/shared/sentry/5.5.0/bundle.min.js
            Source: lt[1].htm.32.drString found in binary or memory: https://s.uicdn.com/tcf/live/
            Source: core[1].htm.32.drString found in binary or memory: https://s.uicdn.com/tcf/live/v1/js/tcf-api.js
            Source: url-polyfill[1].js.32.drString found in binary or memory: https://url.spec.whatwg.org/#urlencoded-serializing
            Source: main[1].js.32.drString found in binary or memory: https://wa.mail.com/1and1/mailcom/s?_c=0&name=
            Source: consentpage[1].htm.32.drString found in binary or memory: https://www.mail.com/
            Source: {A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat.31.drString found in binary or memory: https://www.mail.com/cdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4B
            Source: ~DF3B2B4B210D4677DA.TMP.31.drString found in binary or memory: https://www.mail.com/consentpage
            Source: consentpage[1].htm.32.drString found in binary or memory: https://www.mail.com/consentpage/event/error
            Source: consentpage[1].htm.32.drString found in binary or memory: https://www.mail.com/consentpage/event/visit
            Source: ~DF3B2B4B210D4677DA.TMP.31.dr, {A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat.31.drString found in binary or memory: https://www.mail.com/consentpageVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4BFd
            Source: ~DF3B2B4B210D4677DA.TMP.31.dr, {A90D6F79-E0BA-11EB-90EB-ECF4BBEA1588}.dat.31.dr, B[1].htm0.32.drString found in binary or memory: https://www.mail.com/jdraw/2x8ENuMVJEai_2FVqcwg/KQQ50kpn0M3L73ENNBE/G1knvzad_2Fg_2BkyCoA3S/RcPZinl4B
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
            Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
            Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
            Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
            Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49790 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49791 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49792 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49800 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.217.168.14:443 -> 192.168.2.4:49801 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49802 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49806 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.1017606685.0000000000F9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D491A44 NtMapViewOfSection,0_2_6D491A44
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D491996 GetProcAddress,NtCreateSection,memset,0_2_6D491996
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4923A5 NtQueryVirtualMemory,0_2_6D4923A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00815A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_00815A27
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0081B1A5 NtQueryVirtualMemory,4_2_0081B1A5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4921840_2_6D492184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4BD1F00_2_6D4BD1F0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4BA2600_2_6D4BA260
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D85590_2_6D4D8559
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4CEDC40_2_6D4CEDC4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4CC5EB0_2_6D4CC5EB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4B99A00_2_6D4B99A0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4DA1BF0_2_6D4DA1BF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D80150_2_6D4D8015
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C68E00_2_6D4C68E0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4BDA300_2_6D4BDA30
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D7AD10_2_6D4D7AD1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0081888E4_2_0081888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00813EE14_2_00813EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0081AF804_2_0081AF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4BD1F04_2_6D4BD1F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4BA2604_2_6D4BA260
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4D85594_2_6D4D8559
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4CEDC44_2_6D4CEDC4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4CC5EB4_2_6D4CC5EB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4B99A04_2_6D4B99A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4DA1BF4_2_6D4DA1BF
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4D80154_2_6D4D8015
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C68E04_2_6D4C68E0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4BDA304_2_6D4BDA30
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4D7AD14_2_6D4D7AD1
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D4C9D10 appears 49 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4C9D10 appears 49 times
            Source: c36.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal84.troj.winDLL@34/91@25/13
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0081A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,4_2_0081A65C
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7933872F-E0BA-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA4B211933831C46D.TMPJump to behavior
            Source: c36.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
            Source: c36.dllVirustotal: Detection: 7%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7064 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:244 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4780 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5592 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2016 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5432 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,BeautyresultJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,DivisionJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,FastcolorJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,YetcloseJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7064 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:244 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4780 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5592 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2016 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4624 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5432 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: c36.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000000.00000002.1018511227.000000006D4DB000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.1019307465.000000006D4DB000.00000002.00020000.sdmp, c36.dll
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: c36.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D491BAC LoadLibraryA,GetProcAddress,0_2_6D491BAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D492173 push ecx; ret 0_2_6D492183
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D492120 push ecx; ret 0_2_6D492129
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C9D55 push ecx; ret 0_2_6D4C9D68
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A1511 push es; ret 0_2_6D4A156F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A1F3E push ds; ret 0_2_6D4A1F42
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A27B2 push edi; retf 0_2_6D4A27B4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C7255 push ecx; ret 0_2_6D4C7268
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F3501 push eax; ret 0_2_6D4F3531
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd 0_2_6D4F67A1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F3580 push eax; ret 0_2_6D4F3531
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F5803 push dword ptr [edi]; ret 0_2_6D4F5810
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F58DE push ebx; retf 0_2_6D4F58E9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F60AF push 5DC4E471h; iretd 0_2_6D4F60B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0081ABC0 push ecx; ret 4_2_0081ABC9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0081AF6F push ecx; ret 4_2_0081AF7F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C9D55 push ecx; ret 4_2_6D4C9D68
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A1511 push es; ret 4_2_6D4A156F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A5779 push esp; iretd 4_2_6D4A577D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A670E pushad ; retf 4_2_6D4A6715
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A1F3E push ds; ret 4_2_6D4A1F42
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A27B2 push edi; retf 4_2_6D4A27B4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A59A9 push esp; ret 4_2_6D4A59B5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C7255 push ecx; ret 4_2_6D4C7268
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F3501 push eax; ret 4_2_6D4F3531
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd 4_2_6D4F67A1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F3580 push eax; ret 4_2_6D4F3531
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F5803 push dword ptr [edi]; ret 4_2_6D4F5810
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F58DE push ebx; retf 4_2_6D4F58E9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F60AF push 5DC4E471h; iretd 4_2_6D4F60B9

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.910366216.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790900009.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790960793.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910522567.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910307395.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790850525.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790877212.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790821624.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910457867.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1018360128.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910423038.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790930892.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910544336.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790783444.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910564992.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.910494134.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.790740831.0000000003628000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6932, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D4C4FB4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D491BAC LoadLibraryA,GetProcAddress,0_2_6D491BAC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F434D mov eax, dword ptr fs:[00000030h]0_2_6D4F434D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F427C mov eax, dword ptr fs:[00000030h]0_2_6D4F427C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4F3E83 push dword ptr fs:[00000030h]0_2_6D4F3E83
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F434D mov eax, dword ptr fs:[00000030h]4_2_6D4F434D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F427C mov eax, dword ptr fs:[00000030h]4_2_6D4F427C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4F3E83 push dword ptr fs:[00000030h]4_2_6D4F3E83
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4C27C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D4C4FB4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4C6ED0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D4C6A1F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6D4C27C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6D4C4FB4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6D4C6ED0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6D4C6A1F