Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1c8.dll

Overview

General Information

Sample Name:1c8.dll
Analysis ID:448651
MD5:1c87b3ebc5ddf8f53e585b3cf8f74f47
SHA1:4579705a3e0e8b644fcf30d4c79456b0e4f669b8
SHA256:f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6956 cmdline: loaddll32.exe 'C:\Users\user\Desktop\1c8.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6964 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6988 cmdline: rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6972 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7048 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7064 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7096 cmdline: rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5828 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2284 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6980 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 15 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000003.766216360.00000000010C0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 1c8.dllMetadefender: Detection: 22%Perma Link
            Source: 1c8.dllReversingLabs: Detection: 60%
            Source: 1c8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: 1c8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.920236216.000000006D414000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.922133756.000000006D414000.00000002.00020000.sdmp, 1c8.dll

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49741 -> 40.97.128.194:80
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: Joe Sandbox ViewIP Address: 52.97.232.194 52.97.232.194
            Source: global trafficHTTP traffic detected: GET /grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: ~DF547E5E23E7DFF857.TMP.12.dr, {0A0F511C-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://outlook.office365.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/t
            Source: ~DF4099CF7A12250C28.TMP.12.dr, {0A0F511E-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.drString found in binary or memory: https://outlook.office365.com/grower/iSa3U_2FCrZy/TdWTQggM2F_/2F4Qd7iLvOzuNw/Q11HFiIe_2BP9wOCf9bSc/9
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1996 GetProcAddress,NtCreateSection,memset,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1A44 NtMapViewOfSection,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D23A5 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01175A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117B1A5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008A5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AB1A5 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C25A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2B1A5 NtQueryVirtualMemory,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D2184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117AF80
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117888E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01173EE1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3F17B0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4005E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D400DB8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40BE61
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D404E00
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4109C8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4088B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008A888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008A3EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AAF80
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3F17B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4005E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D400DB8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D40BE61
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D404E00
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4109C8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4088B7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C23EE1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2888E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2AF80
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D403290 appears 39 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D403290 appears 39 times
            Source: C:\Windows\System32\loaddll32.exeSection loaded: sxs.dll
            Source: 1c8.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal80.troj.winDLL@18/7@6/4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A0F511A-E4AA-11EB-90EB-ECF4BBEA1588}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF34CE60BF8360E948.TMPJump to behavior
            Source: 1c8.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
            Source: 1c8.dllMetadefender: Detection: 22%
            Source: 1c8.dllReversingLabs: Detection: 60%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\1c8.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 1c8.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: 1c8.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, 00000000.00000002.920236216.000000006D414000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.922133756.000000006D414000.00000002.00020000.sdmp, 1c8.dll
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 1c8.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1BAC LoadLibraryA,GetProcAddress,
            Source: 1c8.dllStatic PE information: real checksum: 0x6292a should be: 0x64320
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D2120 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D2173 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117AF6F push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0117ABC0 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3FDE07 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3E103D push cs; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4032D5 push ecx; ret
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3E2AD8 push edx; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AD23C push eax; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AD1B0 push eax; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AABC0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AD14D push eax; retf
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_008AAF6F push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3FDE07 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3E103D push cs; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4032D5 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2ABC0 push ecx; ret
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04C2AF6F push ecx; ret

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D40AFAC ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1BAC LoadLibraryA,GetProcAddress,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D42E2D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D42E207 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D42DE0E push dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D42E2D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D42E207 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D42DE0E push dword ptr fs:[00000030h]
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D403484 GetProcessHeap,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3FFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D3FFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.918436125.0000000001550000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.919425142.0000000003110000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01179135 cpuid
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\System32\loaddll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\System32\loaddll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01179135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D3D1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6988, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6956, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2DLL Side-Loading1Process Injection12Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 448651 Sample: 1c8.dll Startdate: 14/07/2021 Architecture: WINDOWS Score: 80 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected  Ursnif 2->46 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 54 2->10         started        process3 signatures4 48 Writes or reads registry keys via WMI 7->48 50 Writes registry values via WMI 7->50 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        24 2 other processes 7->24 19 iexplore.exe 24 10->19         started        22 iexplore.exe 26 10->22         started        process5 dnsIp6 52 Writes registry values via WMI 12->52 26 rundll32.exe 15->26         started        28 outlook.com 40.97.128.194, 443, 49741, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->28 30 ZRH-efz.ms-acdc.office.com 52.97.232.194, 443, 49744, 49745 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 36 5 other IPs or domains 19->36 32 52.97.201.226, 443, 49750, 49751 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 www.outlook.com 22->34 38 3 other IPs or domains 22->38 signatures7 process8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            1c8.dll26%MetadefenderBrowse
            1c8.dll61%ReversingLabsWin32.Trojan.Ursnif

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.loaddll32.exe.1170000.0.unpack100%AviraHEUR/AGEN.1108168Download File
            6.2.rundll32.exe.4c20000.1.unpack100%AviraHEUR/AGEN.1108168Download File
            3.2.rundll32.exe.8a0000.1.unpack100%AviraHEUR/AGEN.1108168Download File

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            outlook.com
            40.97.128.194
            truefalse
              high
              ZRH-efz.ms-acdc.office.com
              52.97.232.194
              truefalse
                high
                www.outlook.com
                unknown
                unknownfalse
                  high
                  outlook.office365.com
                  unknown
                  unknownfalse
                    high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://outlook.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.growfalse
                      high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://outlook.office365.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/t~DF547E5E23E7DFF857.TMP.12.dr, {0A0F511C-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.drfalse
                        high
                        https://outlook.office365.com/grower/iSa3U_2FCrZy/TdWTQggM2F_/2F4Qd7iLvOzuNw/Q11HFiIe_2BP9wOCf9bSc/9~DF4099CF7A12250C28.TMP.12.dr, {0A0F511E-E4AA-11EB-90EB-ECF4BBEA1588}.dat.12.drfalse
                          high

                          Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public

                          IPDomainCountryFlagASNASN NameMalicious
                          40.97.128.194
                          outlook.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          52.97.232.194
                          ZRH-efz.ms-acdc.office.comUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          52.97.232.210
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          52.97.201.226
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                          General Information

                          Joe Sandbox Version:33.0.0 White Diamond
                          Analysis ID:448651
                          Start date:14.07.2021
                          Start time:15:45:17
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 9m 4s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:1c8.dll
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:24
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal80.troj.winDLL@18/7@6/4
                          EGA Information:Failed
                          HDC Information:
                          • Successful, ratio: 25% (good quality ratio 23.8%)
                          • Quality average: 79.6%
                          • Quality standard deviation: 28.5%
                          HCA Information:
                          • Successful, ratio: 77%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found application associated with file extension: .dll
                          Warnings:
                          Show All
                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.64.90.137, 13.88.21.125, 23.54.113.53, 23.0.174.200, 23.0.174.185, 20.50.102.62, 2.18.105.186, 20.82.209.183, 23.10.249.43, 23.10.249.26, 152.199.19.161, 20.54.7.98, 40.112.88.60, 20.54.104.15
                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          15:47:11API Interceptor1x Sleep call for process: loaddll32.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          40.97.128.194http://outlook.com/owa/airmasteraustralia.onmicrosoft.comGet hashmaliciousBrowse
                          • outlook.com/owa/airmasteraustralia.onmicrosoft.com
                          52.97.232.194c36.dllGet hashmaliciousBrowse
                            Signed pages of agreement copy.htmlGet hashmaliciousBrowse
                              http://YUEipfm.zackgillum.com/%40120%40240%40#james.kelsaw@puc.texas.govGet hashmaliciousBrowse
                                https://microsoft-quarantine.df.r.appspot.com/Get hashmaliciousBrowse
                                  Fund Transfer PDF.htmGet hashmaliciousBrowse
                                    http://portal.payrolltooling.net/?id=vpqyydl7ZnKtU4usMGPqUQPtxkGlU49Be%2BH%2BAigE5ucTWat3Eej8US2xdckdOu0iDpwQIwMYKl9DLP2pKOIwIWa7isWu4stPeMJ%2BbSSC%2BrsVtg8U%2BWD1tF4Bc3%2FtEr3hJI4S3OomSDlwnU2PwUDgbmdkRVrT8Jiy8Xe4bfQ0dyp5k2o%2Bf2eztEQzNsZlKz0xjWSRZcdjYCg9vWmNNNSvSwsWNybr8UBeONKYmj4PdCOwhNBWdvur%2BK4Wx1bqcPE26q7z8kpyQ4hJ2vOCvXmdlnZ37w0%2BAGvM3H2V03OaxIsBHrlCuyiPhQWq8qdKOB4lg1EmFibK759dnK%2FawF2z6INf5IJhbtrbLVkWA6i%2FuckBPOJvVXHWYj5SHhB8X%2FZzGet hashmaliciousBrowse
                                      P.I Officewears 28.07.2020.exeGet hashmaliciousBrowse
                                        http://wcladr.atoo.xyz/%407499%401289%40#rhys.hodge@2sfg.comGet hashmaliciousBrowse
                                          https://angularjs-xcyejc.stackblitz.io/Get hashmaliciousBrowse
                                            https://office365-0nedrive-portal.el.r.appspot.com/Get hashmaliciousBrowse
                                              https://austeamatic-my.sharepoint.com/:f:/g/personal/wspence_steamatic_com_au/ElyRIyMAVJtHn6FFuMTMYowBrq7r9BGosqf6VblEm4AzkA?e=S5Qh6cGet hashmaliciousBrowse
                                                https://xlelectricals.com/dolex/offices/index.phpGet hashmaliciousBrowse
                                                  https://firebasestorage.googleapis.com/v0/b/j3q3d3sqsuuser.appspot.com/o/index.htm?alt=media&token=a6ff4f2d-2706-4fc4-bf56-5796926e37ef#cathyc@stockland.com.auGet hashmaliciousBrowse
                                                    https://jetlow.z19.web.core.windows.net/#is@loreal.comGet hashmaliciousBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      outlook.comuLTvM5APNY.exeGet hashmaliciousBrowse
                                                      • 40.93.207.0
                                                      oEE058tCoG.exeGet hashmaliciousBrowse
                                                      • 40.93.207.1
                                                      2Bmv1UZL2m.exeGet hashmaliciousBrowse
                                                      • 52.101.24.0
                                                      oS4iWYYsx7.exeGet hashmaliciousBrowse
                                                      • 104.47.53.36
                                                      P4SRvI1baM.exeGet hashmaliciousBrowse
                                                      • 104.47.54.36
                                                      051y0i7M8q.exeGet hashmaliciousBrowse
                                                      • 40.93.207.0
                                                      lEbR9gFgLr.exeGet hashmaliciousBrowse
                                                      • 104.47.54.36
                                                      0OvBoFRzgC.exeGet hashmaliciousBrowse
                                                      • 104.47.54.36
                                                      ZRH-efz.ms-acdc.office.comc36.dllGet hashmaliciousBrowse
                                                      • 52.97.186.114
                                                      c36.dllGet hashmaliciousBrowse
                                                      • 52.98.163.18
                                                      Signed pages of agreement copy.htmlGet hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      PI_DRAFT.exeGet hashmaliciousBrowse
                                                      • 52.97.186.114
                                                      moog_invoice_Wednesday 02242021._xslx.hTMLGet hashmaliciousBrowse
                                                      • 52.97.201.210
                                                      https://app.box.com/s/yihmp2wywbz9lgdbg26g3tc1piwkalabGet hashmaliciousBrowse
                                                      • 52.97.232.210
                                                      http://resa.credit-financebank.com/donc/dcn/?email=bWNnaW5udEByZXNhLm5ldA==Get hashmaliciousBrowse
                                                      • 52.97.201.242
                                                      https://loginpro-288816.ew.r.appspot.com/#joshua.kwon@ttc.caGet hashmaliciousBrowse
                                                      • 52.97.186.98
                                                      http://YUEipfm.zackgillum.com/%40120%40240%40#james.kelsaw@puc.texas.govGet hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      https://microsoft-quarantine.df.r.appspot.com/Get hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      https://storage.googleapis.com/atotalled-370566990/index.htmlGet hashmaliciousBrowse
                                                      • 52.97.186.18
                                                      https://login-microsoft-office365-auth.el.r.appspot.com/login.microsoftonline.com/common/oauth2/authorize=vNews2&email=microsoftonline.com/common/oauth2/authorize&hashed_email=Y7XY6XCZJ3R4T4MN&utm_campaign=phx_trigger_uk_pop_email4&utm_source=photobox&utm_medium=email&uid=4978854645473&brandName=Photobox#helen@rhdb.com.auGet hashmaliciousBrowse
                                                      • 52.97.232.242
                                                      https://clicktime.symantec.com/3LNDmLN9vLnK1LqGUDBbkAD6H2?u=https%3A%2F%2Foutlook.office.com%2Fmail%2Fsearch%2Fid%2Fnscglobal.comGet hashmaliciousBrowse
                                                      • 52.97.232.226
                                                      https://luminous-cubist-288118.df.r.appspot.com/#lilja.b.einarsdottir@landsbankinn.isGet hashmaliciousBrowse
                                                      • 52.97.232.226
                                                      https://u4882271.ct.sendgrid.net/ls/click?upn=YFyCGXB2k7XEs51EAWvRp-2BQ6xaP5-2Bxv1vyI4sITyTp6VhtJSyiu7Ungt4CUf7KdGeEBPZ7lJ0WMtGrW3-2F8wXB5kIqpkSCZwccYVceognA2U-3D57Rw_kfZ8cLppmcXDuIHKWdMrLPt30SkBa8ipQz83IjjYGp9c2flQixqYXWN470AqCFO8g1yhSwMHhN8-2BJK0vTLNC61PkTeWIrAs821yYsBfCbuclR33OfNLncv-2FtXraICcEYo4WPVv8iupWN7r8K4Ld3UpsglQggrT98vACCXZNhqlBcQYKLRD-2BBljUb02MnMpFHKiH9-2BP5uH3bAOFC4VOgSpVi86N1p2cxRMZF5Xkh4ZdU-3DGet hashmaliciousBrowse
                                                      • 52.97.186.114
                                                      https://share-ointonlinekcjl5cj5k.et.r.appspot.com/#I.Artolli@sbm.mcGet hashmaliciousBrowse
                                                      • 52.97.186.18
                                                      Fund Transfer PDF.htmGet hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      http://outlook.com/owa/airmasteraustralia.onmicrosoft.comGet hashmaliciousBrowse
                                                      • 52.97.232.226
                                                      http://portal.payrolltooling.net/?id=vpqyydl7ZnKtU4usMGPqUQPtxkGlU49Be%2BH%2BAigE5ucTWat3Eej8US2xdckdOu0iDpwQIwMYKl9DLP2pKOIwIWa7isWu4stPeMJ%2BbSSC%2BrsVtg8U%2BWD1tF4Bc3%2FtEr3hJI4S3OomSDlwnU2PwUDgbmdkRVrT8Jiy8Xe4bfQ0dyp5k2o%2Bf2eztEQzNsZlKz0xjWSRZcdjYCg9vWmNNNSvSwsWNybr8UBeONKYmj4PdCOwhNBWdvur%2BK4Wx1bqcPE26q7z8kpyQ4hJ2vOCvXmdlnZ37w0%2BAGvM3H2V03OaxIsBHrlCuyiPhQWq8qdKOB4lg1EmFibK759dnK%2FawF2z6INf5IJhbtrbLVkWA6i%2FuckBPOJvVXHWYj5SHhB8X%2FZzGet hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      okayfreedomwr.exeGet hashmaliciousBrowse
                                                      • 52.97.232.194

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSuLTvM5APNY.exeGet hashmaliciousBrowse
                                                      • 104.47.54.36
                                                      X7FqAeP3oE.exeGet hashmaliciousBrowse
                                                      • 104.42.151.234
                                                      8944848MNBV.exeGet hashmaliciousBrowse
                                                      • 23.101.8.193
                                                      5odgesjcMa.exeGet hashmaliciousBrowse
                                                      • 168.61.161.212
                                                      Horodlsjjdrxysbousfnmraroywkyeqrjq.exeGet hashmaliciousBrowse
                                                      • 20.80.51.178
                                                      Hond.exeGet hashmaliciousBrowse
                                                      • 168.61.161.212
                                                      6dCudgmxKY.exeGet hashmaliciousBrowse
                                                      • 104.42.151.234
                                                      SIeDLrXyLs.exeGet hashmaliciousBrowse
                                                      • 20.194.35.6
                                                      cCEP3pyVp8.exeGet hashmaliciousBrowse
                                                      • 13.64.90.137
                                                      codes.zip.exeGet hashmaliciousBrowse
                                                      • 52.239.214.132
                                                      Qyqcfpjnkpfztrximioqcwcfursbkeatda.exeGet hashmaliciousBrowse
                                                      • 20.80.30.45
                                                      HQZzLlAZjR.exeGet hashmaliciousBrowse
                                                      • 20.151.200.9
                                                      HQZzLlAZjR.exeGet hashmaliciousBrowse
                                                      • 20.151.200.9
                                                      31Ov8DqdkE.exeGet hashmaliciousBrowse
                                                      • 157.56.161.162
                                                      c36.dllGet hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      c36.dllGet hashmaliciousBrowse
                                                      • 52.98.163.18
                                                      2oxhsHaX3D.exeGet hashmaliciousBrowse
                                                      • 13.107.4.50
                                                      iKcDLx5Wxc.exeGet hashmaliciousBrowse
                                                      • 104.43.139.144
                                                      r6.zip.exeGet hashmaliciousBrowse
                                                      • 52.239.214.132
                                                      recovered_bin2Get hashmaliciousBrowse
                                                      • 52.228.135.155
                                                      MICROSOFT-CORP-MSN-AS-BLOCKUSuLTvM5APNY.exeGet hashmaliciousBrowse
                                                      • 104.47.54.36
                                                      X7FqAeP3oE.exeGet hashmaliciousBrowse
                                                      • 104.42.151.234
                                                      8944848MNBV.exeGet hashmaliciousBrowse
                                                      • 23.101.8.193
                                                      5odgesjcMa.exeGet hashmaliciousBrowse
                                                      • 168.61.161.212
                                                      Horodlsjjdrxysbousfnmraroywkyeqrjq.exeGet hashmaliciousBrowse
                                                      • 20.80.51.178
                                                      Hond.exeGet hashmaliciousBrowse
                                                      • 168.61.161.212
                                                      6dCudgmxKY.exeGet hashmaliciousBrowse
                                                      • 104.42.151.234
                                                      SIeDLrXyLs.exeGet hashmaliciousBrowse
                                                      • 20.194.35.6
                                                      cCEP3pyVp8.exeGet hashmaliciousBrowse
                                                      • 13.64.90.137
                                                      codes.zip.exeGet hashmaliciousBrowse
                                                      • 52.239.214.132
                                                      Qyqcfpjnkpfztrximioqcwcfursbkeatda.exeGet hashmaliciousBrowse
                                                      • 20.80.30.45
                                                      HQZzLlAZjR.exeGet hashmaliciousBrowse
                                                      • 20.151.200.9
                                                      HQZzLlAZjR.exeGet hashmaliciousBrowse
                                                      • 20.151.200.9
                                                      31Ov8DqdkE.exeGet hashmaliciousBrowse
                                                      • 157.56.161.162
                                                      c36.dllGet hashmaliciousBrowse
                                                      • 52.97.232.194
                                                      c36.dllGet hashmaliciousBrowse
                                                      • 52.98.163.18
                                                      2oxhsHaX3D.exeGet hashmaliciousBrowse
                                                      • 13.107.4.50
                                                      iKcDLx5Wxc.exeGet hashmaliciousBrowse
                                                      • 104.43.139.144
                                                      r6.zip.exeGet hashmaliciousBrowse
                                                      • 52.239.214.132
                                                      recovered_bin2Get hashmaliciousBrowse
                                                      • 52.228.135.155

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0A0F511A-E4AA-11EB-90EB-ECF4BBEA1588}.dat
                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                      File Type:Microsoft Word Document
                                                      Category:dropped
                                                      Size (bytes):50344
                                                      Entropy (8bit):2.0059703311922683
                                                      Encrypted:false
                                                      SSDEEP:192:rkZn7ZG2JW0t/iffeszMQkB8kDid6coDE7uMsJE7tdELfV9ELtmDqpLmT0DupJFj:rUt94gY2pXkk8KHOohz
                                                      MD5:F57C97FB7BBD362FE7E7673DE3468F0B
                                                      SHA1:EB35668061617D36F4898660556685F9BB53D2F8
                                                      SHA-256:4AC85D49BC0D65C1620CB0619CE51A99BBBAFA0C845F1C412601F01C95EBD46C
                                                      SHA-512:6E0327CC091324432B94A36F33CB36C6F1C368F57E0A36B33CFF14B298907600F5946DC417257703829B2F6F5DF6FC29AF7D5E2EDDD5ADDB61E1911E2A35EA33
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A0F511C-E4AA-11EB-90EB-ECF4BBEA1588}.dat
                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                      File Type:Microsoft Word Document
                                                      Category:dropped
                                                      Size (bytes):27368
                                                      Entropy (8bit):1.8457791105103485
                                                      Encrypted:false
                                                      SSDEEP:96:rVZy7Qm6SHBSJjx/21WxkMOi1Bp3+Lx1Bp3+opnA:rVZy7Qm6IkJjB21WGMOi1/0x1/PnA
                                                      MD5:174169A2DC47832FAF2D867313A7C955
                                                      SHA1:5D5DA7C142D63F87ADE749CD6B9B71D9CE561159
                                                      SHA-256:DF8991E3F284A5855966524342CEFB94168D3B8E9AD26E231D61F1F0E24B9E3C
                                                      SHA-512:2ED28D5A98E88DDA7A7583F34370126CDDBDA187443956F7BF2B6AADF8B5FA1AC00C1B2DC5988DEE0B83ED190DCC3C96AF546DA2571DB1F905744D2E3C5F93D4
                                                      Malicious:false
                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0A0F511E-E4AA-11EB-90EB-ECF4BBEA1588}.dat
                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                      File Type:Microsoft Word Document
                                                      Category:dropped
                                                      Size (bytes):27448
                                                      Entropy (8bit):1.8711021214705452
                                                      Encrypted:false
                                                      SSDEEP:96:rkZzQ36dHBSljF/2ZWxkM6yXB5Ct9RXB5CtgIpA:rkZzQ365klj12ZWGM6yXPCPRXPCLpA
                                                      MD5:BAA7A8C3820B42D05B560B1293167402
                                                      SHA1:3A5C8319E1A650DA9E3826B1CB003B5D4E14C3EA
                                                      SHA-256:8B485DF077C5DC61A02CFFEFE161BA5F97C2F0BD01630E25B90F34A5B57E2ECC
                                                      SHA-512:0762D2547F2B9C71E91CA1628821A6B175931270248E70F35B27B2B262C8201B3944B2D00848A2A5F017A05ABB96D7DBFACD07109638D54287D01438F5BB7A09
                                                      Malicious:false
                                                      Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\JavaDeployReg.log
                                                      Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):89
                                                      Entropy (8bit):4.575366195605629
                                                      Encrypted:false
                                                      SSDEEP:3:oVXUtJf0fSIqH8JOGXnEtJf0fSIZun:o9UtJbHqEtJWu
                                                      MD5:8014349F0CD85213AF05E13A1C7A28BA
                                                      SHA1:9B76E3C05F7F406A1876A7121B0E967F9ECC7999
                                                      SHA-256:3D75FBDB39C630D2674A606AB448B0DA54916446659655553255B395A63EF7C9
                                                      SHA-512:00BFD8F50455E2B595693C0EDFDA2107AF7CC296819D7C5BF68F1AE0D6621D7017AE0C22A8B4BE0BDBE60F7EFEEA84CA82AC77E49570DAC0ED08FF6606D0389B
                                                      Malicious:false
                                                      Preview: [2021/07/14 15:47:36.558] Latest deploy version: ..[2021/07/14 15:47:36.558] 11.211.2 ..
                                                      C:\Users\user\AppData\Local\Temp\~DF34CE60BF8360E948.TMP
                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):13237
                                                      Entropy (8bit):0.5990802949288698
                                                      Encrypted:false
                                                      SSDEEP:24:c9lLh9lLh9lIn9lIn9lo5S9lo5C9lW5jdSodkrbkrRIZpIdkrRlIflI4opI3:kBqoITFw4yt3y+c
                                                      MD5:CF1187ECDBD8B9908C9095F68448FA82
                                                      SHA1:C4F49BABEF42F0DE41A9A8D192089BD294E85D14
                                                      SHA-256:9BA9D7F60EF1BB59B86E61C97F7AE74EB2A3321F74A3BB2AFF63374E0C445878
                                                      SHA-512:5E84D9401E3A339E83244E9B57D971996078AC24035720EC19AA7B64315A057CB7C2A5E4E31BB1D7668D1AB7CCDA3108D6B5E38F98D149056D606E97FCBB5347
                                                      Malicious:false
                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\~DF4099CF7A12250C28.TMP
                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):39793
                                                      Entropy (8bit):0.6010403022687606
                                                      Encrypted:false
                                                      SSDEEP:96:kBqoxKAuvScS+rl3elvXB5CtuXB5Ct+XB5Ct3:kBqoxKAuqR+rl3elvXPCkXPCkXPCl
                                                      MD5:916D13B1C24E6684762AEA216EDFF0C8
                                                      SHA1:652AFFF739BCB43469B6634845886A812D8C8DB9
                                                      SHA-256:3DE7C9F9BF32CECC63E08550EB03BD3E7C07E4BE9EDEF25F1950344E6068C83D
                                                      SHA-512:0D09617C0ED850477EB3CAD5139192E5C262A5FBB3F673CE6BD3045220B5AD12B80734168207C71B9F7A8882399D178838D0D4D2A8A74101D97B2FDE138F6880
                                                      Malicious:false
                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                      C:\Users\user\AppData\Local\Temp\~DF547E5E23E7DFF857.TMP
                                                      Process:C:\Program Files\internet explorer\iexplore.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):39633
                                                      Entropy (8bit):0.5737482313228344
                                                      Encrypted:false
                                                      SSDEEP:96:kBqoxKAuvScS+V75orx1Bp3+21Bp3+G1Bp3+f:kBqoxKAuqR+V75orx1/r1/P1/0
                                                      MD5:8372FA922F29C6FF220E91EA8518AD3A
                                                      SHA1:91642AC1B702D64507C81B455900FE9D6B1379B9
                                                      SHA-256:2C61D084A08B479BA64D04E715E209E80CF0BC676F7556D826E76949895A492E
                                                      SHA-512:0FDECF97F2E645DB6DCBF6224471C2FEB79EF4E9610584756F00DD95748A19607E0AE22F183DA3BAAC4DBA21EAC94ECE1056ADE81B5C6D2F47B17EEB264C6D75
                                                      Malicious:false
                                                      Preview: .............................*%..H..M..{y..+.0...(................... ...............................................*%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.657194179381326
                                                      TrID:
                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                      • DOS Executable Generic (2002/1) 0.20%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:1c8.dll
                                                      File size:381440
                                                      MD5:1c87b3ebc5ddf8f53e585b3cf8f74f47
                                                      SHA1:4579705a3e0e8b644fcf30d4c79456b0e4f669b8
                                                      SHA256:f2dfc3562e150ca045557559269c3c21531bb85292864109fd2ceca4fe0f1ea9
                                                      SHA512:0a1e8a5afd02216b2b0f08c9c8b5866938c6c66bdc902501aeb2b0dc4a19da7b1018865b4c99628655507a545f507e2aa53d74b0e68f0fd55c979a285a46e026
                                                      SSDEEP:6144:vC8nRa6tXFOspzA7z6NZVeC8i795fubASK9beZTX3l8Eo:J0SVOsp5VWi7PWoBeZTX36
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~@........................................D...................................................Rich............PE..L......S...

                                                      File Icon

                                                      Icon Hash:74f0e4ecccdce0e4

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x102cd58
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x1000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x5396CBB2 [Tue Jun 10 09:11:14 2014 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:6
                                                      OS Version Minor:0
                                                      File Version Major:6
                                                      File Version Minor:0
                                                      Subsystem Version Major:6
                                                      Subsystem Version Minor:0
                                                      Import Hash:4c29865e356872ef0757b58734cbbb11

                                                      Entrypoint Preview

                                                      Instruction
                                                      push ebp
                                                      mov ebp, esp
                                                      cmp dword ptr [ebp+0Ch], 01h
                                                      jne 00007F78DC9C7897h
                                                      call 00007F78DC9D2A7Fh
                                                      push dword ptr [ebp+10h]
                                                      push dword ptr [ebp+0Ch]
                                                      push dword ptr [ebp+08h]
                                                      call 00007F78DC9C789Ch
                                                      add esp, 0Ch
                                                      pop ebp
                                                      retn 000Ch
                                                      push 0000000Ch
                                                      push 010591A8h
                                                      call 00007F78DC9CDD9Eh
                                                      xor eax, eax
                                                      inc eax
                                                      mov esi, dword ptr [ebp+0Ch]
                                                      test esi, esi
                                                      jne 00007F78DC9C789Eh
                                                      cmp dword ptr [010F11A4h], esi
                                                      je 00007F78DC9C797Ah
                                                      and dword ptr [ebp-04h], 00000000h
                                                      cmp esi, 01h
                                                      je 00007F78DC9C7897h
                                                      cmp esi, 02h
                                                      jne 00007F78DC9C78C7h
                                                      mov ecx, dword ptr [01052870h]
                                                      test ecx, ecx
                                                      je 00007F78DC9C789Eh
                                                      push dword ptr [ebp+10h]
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      call ecx
                                                      mov dword ptr [ebp-1Ch], eax
                                                      test eax, eax
                                                      je 00007F78DC9C7947h
                                                      push dword ptr [ebp+10h]
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      call 00007F78DC9C76A6h
                                                      mov dword ptr [ebp-1Ch], eax
                                                      test eax, eax
                                                      je 00007F78DC9C7930h
                                                      mov ebx, dword ptr [ebp+10h]
                                                      push ebx
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      call 00007F78DC9BC258h
                                                      mov edi, eax
                                                      mov dword ptr [ebp-1Ch], edi
                                                      cmp esi, 01h
                                                      jne 00007F78DC9C78BAh
                                                      test edi, edi
                                                      jne 00007F78DC9C78B6h
                                                      push ebx
                                                      push eax
                                                      push dword ptr [ebp+08h]
                                                      call 00007F78DC9BC240h
                                                      push ebx
                                                      push edi
                                                      push dword ptr [ebp+08h]
                                                      call 00007F78DC9C766Ch
                                                      mov eax, dword ptr [01052870h]
                                                      test eax, eax
                                                      je 00007F78DC9C7899h
                                                      push ebx
                                                      push edi
                                                      push dword ptr [ebp+08h]
                                                      call eax

                                                      Rich Headers

                                                      Programming Language:
                                                      • [EXP] VS2013 UPD3 build 30723
                                                      • [LNK] VS2013 UPD3 build 30723
                                                      • [ C ] VS2013 build 21005
                                                      • [C++] VS2013 build 21005
                                                      • [ASM] VS2013 build 21005
                                                      • [C++] VS2013 UPD3 build 30723
                                                      • [RES] VS2013 build 21005
                                                      • [IMP] VS2008 SP1 build 30729

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x597e00x80.rdata
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x598600x50.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x1e0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xf50000x2b1c.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x442200x38.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x57c580x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x440000x18c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x4211f0x42200False0.619812588611data6.63194567015IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rdata0x440000x161720x16200False0.578919491525data5.90225736165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x5b0000x980ec0x1c00False0.316824776786data3.9217328811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xf40000x1e00x200False0.529296875data4.724728912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xf50000x2b1c0x2c00False0.760919744318data6.67218651592IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_MANIFEST0xf40600x17dXML 1.0 document textEnglishUnited States

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllCreateProcessA, GetSystemDirectoryA, GetTempPathA, GetWindowsDirectoryA, GetCurrentDirectoryA, SetSystemPowerState, SetConsoleCP, SetConsoleOutputCP, GetModuleHandleA, CreateFileW, ReadConsoleW, WriteConsoleW, SetStdHandle, OutputDebugStringW, LoadLibraryExW, GetTimeZoneInformation, GetModuleFileNameA, FormatMessageA, GetSystemTimeAsFileTime, GetProcessHeap, VirtualProtect, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, GetLastError, HeapFree, HeapAlloc, RaiseException, RtlUnwind, GetCommandLineA, GetCurrentThreadId, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, IsProcessorFeaturePresent, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ExitProcess, GetModuleHandleExW, HeapSize, GetStdHandle, WriteFile, GetModuleFileNameW, IsDebuggerPresent, IsValidCodePage, GetACP, GetOEMCP, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, CloseHandle, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, SetEnvironmentVariableA
                                                      USER32.dllGetWindowThreadProcessId, GetSysColorBrush, GetWindowRect, GetClientRect, GetForegroundWindow, CreatePopupMenu, DialogBoxIndirectParamA, CreateDialogIndirectParamA
                                                      GDI32.dllSetPixel, SelectObject, PatBlt, GetTextExtentPoint32A, StretchBlt

                                                      Exports

                                                      NameOrdinalAddress
                                                      Clockcondition10x1021070
                                                      Dogwhen20x1021fa0
                                                      Sing30x1022080
                                                      Wholegray40x1022270

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      07/14/21-15:47:37.828655TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4974180192.168.2.440.97.128.194

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jul 14, 2021 15:47:37.698523045 CEST4974180192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.698724031 CEST4974280192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.827414036 CEST804974140.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:37.827438116 CEST804974240.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:37.827619076 CEST4974180192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.828655005 CEST4974180192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.828658104 CEST4974280192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.960118055 CEST804974140.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:37.960237980 CEST4974180192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.960382938 CEST4974180192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:37.966654062 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.089986086 CEST804974140.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.090859890 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.090962887 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.098766088 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.237344027 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.237361908 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.237399101 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.237462044 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.237549067 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.299531937 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.307914972 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.430352926 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.434855938 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.435601950 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.435631037 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.435636044 CEST49743443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.500403881 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.500479937 CEST49745443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.513191938 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.517201900 CEST4434974552.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.518619061 CEST49745443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.518888950 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.518904924 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.520267963 CEST49745443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.533075094 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.533133984 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.533353090 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.533360004 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.533494949 CEST4434974552.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.533528090 CEST4434974552.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.533665895 CEST4434974552.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.534364939 CEST49745443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.534373045 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.546734095 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.547333956 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.548966885 CEST49745443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.559760094 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.559825897 CEST4434974340.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.560949087 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.561805964 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.562294006 CEST4434974552.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.562397003 CEST49745443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.562553883 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.563219070 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.563234091 CEST49744443192.168.2.452.97.232.194
                                                      Jul 14, 2021 15:47:38.576277971 CEST4434974452.97.232.194192.168.2.4
                                                      Jul 14, 2021 15:47:38.594861031 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.596328974 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.608051062 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.608138084 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.608757019 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.609628916 CEST4434974752.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.609707117 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.621915102 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.622004986 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.622005939 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.622020960 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.622055054 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.622081041 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.640651941 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.641314030 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.641803026 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.654548883 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.654616117 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.655627012 CEST4434974752.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.655678988 CEST4434974752.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.655694962 CEST4434974752.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.655706882 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.655739069 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.662714958 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.667187929 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.667253017 CEST4434974652.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.667313099 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.667352915 CEST49746443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.676335096 CEST4434974752.97.232.210192.168.2.4
                                                      Jul 14, 2021 15:47:38.676398993 CEST49747443192.168.2.452.97.232.210
                                                      Jul 14, 2021 15:47:38.929805040 CEST49748443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:38.931337118 CEST49749443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:39.054099083 CEST4434974940.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:39.054219961 CEST49749443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:39.055341959 CEST4434974840.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:39.055414915 CEST49748443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:39.061053991 CEST49749443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:39.061403036 CEST49748443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:39.186108112 CEST4434974940.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:39.186134100 CEST4434974940.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:39.186157942 CEST4434974940.97.128.194192.168.2.4
                                                      Jul 14, 2021 15:47:39.186184883 CEST49749443192.168.2.440.97.128.194
                                                      Jul 14, 2021 15:47:39.186218023 CEST49749443192.168.2.440.97.128.194

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jul 14, 2021 15:45:59.175343037 CEST4971453192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:45:59.190064907 CEST53497148.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:45:59.921263933 CEST5802853192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:45:59.934813023 CEST53580288.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:00.871433973 CEST5309753192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:00.885173082 CEST53530978.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:01.797077894 CEST4925753192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:01.815798998 CEST53492578.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:01.963591099 CEST6238953192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:01.976809978 CEST53623898.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:03.139686108 CEST4991053192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:03.154566050 CEST53499108.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:07.336385965 CEST5585453192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:07.350001097 CEST53558548.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:57.748903036 CEST6454953192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:57.762671947 CEST53645498.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:46:58.110405922 CEST6315353192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:46:58.123148918 CEST53631538.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:06.008919001 CEST5299153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:06.036143064 CEST53529918.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:34.720351934 CEST5370053192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:34.733469009 CEST53537008.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:37.643353939 CEST5172653192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:37.656598091 CEST53517268.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:38.444652081 CEST5679453192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:38.457087994 CEST53567948.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:38.572945118 CEST5653453192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:38.585489035 CEST53565348.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:38.905317068 CEST5662753192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:38.917916059 CEST53566278.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:39.384074926 CEST5662153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:39.397406101 CEST53566218.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:39.462891102 CEST6311653192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:39.477440119 CEST53631168.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:45.081408024 CEST6407853192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:45.110802889 CEST53640788.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:47:49.967395067 CEST6480153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:47:50.011684895 CEST53648018.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:04.668582916 CEST6172153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:04.687148094 CEST53617218.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:05.665086985 CEST6172153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:05.679702044 CEST53617218.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:06.712723970 CEST6172153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:06.725666046 CEST53617218.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:08.759167910 CEST6172153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:08.772504091 CEST53617218.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:08.827425957 CEST5125553192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:08.942306995 CEST53512558.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:09.443284035 CEST6152253192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:09.457130909 CEST53615228.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:09.963063955 CEST5233753192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:09.989960909 CEST53523378.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:09.997298956 CEST5504653192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:10.010323048 CEST53550468.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:10.446999073 CEST4961253192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:10.533206940 CEST53496128.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:10.907911062 CEST4928553192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:11.051064968 CEST53492858.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:11.449387074 CEST5060153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:11.567984104 CEST53506018.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:12.036930084 CEST6087553192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:12.052298069 CEST53608758.8.8.8192.168.2.4
                                                      Jul 14, 2021 15:48:12.774995089 CEST6172153192.168.2.48.8.8.8
                                                      Jul 14, 2021 15:48:12.788017035 CEST53617218.8.8.8192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jul 14, 2021 15:47:37.643353939 CEST192.168.2.48.8.8.80xbf05Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.444652081 CEST192.168.2.48.8.8.80xa503Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.572945118 CEST192.168.2.48.8.8.80xc891Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.905317068 CEST192.168.2.48.8.8.80xd6a8Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.384074926 CEST192.168.2.48.8.8.80x3e91Standard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.462891102 CEST192.168.2.48.8.8.80x9459Standard query (0)outlook.office365.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:37.656598091 CEST8.8.8.8192.168.2.40xbf05No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)outlook.ms-acdc.office.comZRH-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)ZRH-efz.ms-acdc.office.com52.97.232.194A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)ZRH-efz.ms-acdc.office.com52.97.186.114A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)ZRH-efz.ms-acdc.office.com52.98.163.18A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.457087994 CEST8.8.8.8192.168.2.40xa503No error (0)ZRH-efz.ms-acdc.office.com52.97.232.210A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)outlook.ms-acdc.office.comZRH-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)ZRH-efz.ms-acdc.office.com52.97.232.210A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)ZRH-efz.ms-acdc.office.com52.97.186.114A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)ZRH-efz.ms-acdc.office.com52.97.201.210A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.585489035 CEST8.8.8.8192.168.2.40xc891No error (0)ZRH-efz.ms-acdc.office.com52.97.201.226A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:38.917916059 CEST8.8.8.8192.168.2.40xd6a8No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)outlook.ms-acdc.office.comZRH-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)ZRH-efz.ms-acdc.office.com52.97.201.226A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)ZRH-efz.ms-acdc.office.com52.97.186.114A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)ZRH-efz.ms-acdc.office.com52.97.232.210A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.397406101 CEST8.8.8.8192.168.2.40x3e91No error (0)ZRH-efz.ms-acdc.office.com52.97.201.242A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)outlook.ms-acdc.office.comZRH-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)ZRH-efz.ms-acdc.office.com52.97.232.194A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)ZRH-efz.ms-acdc.office.com52.97.201.242A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)ZRH-efz.ms-acdc.office.com52.97.232.210A (IP address)IN (0x0001)
                                                      Jul 14, 2021 15:47:39.477440119 CEST8.8.8.8192.168.2.40x9459No error (0)ZRH-efz.ms-acdc.office.com52.97.201.194A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • outlook.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.44974140.97.128.19480C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jul 14, 2021 15:47:37.828655005 CEST1088OUTGET /grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.grow HTTP/1.1
                                                      Accept: text/html, application/xhtml+xml, image/jxr, */*
                                                      Accept-Language: en-US
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                                      Accept-Encoding: gzip, deflate
                                                      Host: outlook.com
                                                      Connection: Keep-Alive
                                                      Jul 14, 2021 15:47:37.960118055 CEST1089INHTTP/1.1 301 Moved Permanently
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Location: https://outlook.com/grower/IGPiFOK9TunC/gPtC5_2F4YG/ZzNVH5SYgNPO4r/Psx6BaSL6yLcaujEgpw7P/tYMT5RnKSeCB9jBg/3iH6euhlA_2FGYG/rhrfnjjJUD3Y1TDXr8/g3m2c4nF8/bM6OTpEkWKHOq9wInEON/2HRIvyEq85fMK7VnDSk/ESY1C1z2RWNeT9llxDcxvu/GKJMCp_2FJD6L/hm1dCsQj.grow
                                                      Server: Microsoft-IIS/10.0
                                                      request-id: cdb1ff5c-81d3-c2f3-3e0b-91fae0e5d451
                                                      X-FEServer: DM5PR2201CA0006
                                                      X-RequestId: 7db06cb8-a172-45d8-9669-20c12b4c4bcd
                                                      X-Powered-By: ASP.NET
                                                      X-FEServer: DM5PR2201CA0006
                                                      Date: Wed, 14 Jul 2021 13:47:36 GMT
                                                      Connection: close
                                                      Content-Length: 0


                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Start time:15:46:06
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\System32\loaddll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:loaddll32.exe 'C:\Users\user\Desktop\1c8.dll'
                                                      Imagebase:0x1190000
                                                      File size:116736 bytes
                                                      MD5 hash:542795ADF7CC08EFCF675D65310596E8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.849775483.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.849876753.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.850076693.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.850098978.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.850034271.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.849999289.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.918801492.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.849834165.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.849965613.0000000003618000.00000004.00000040.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      General

                                                      Start time:15:46:06
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
                                                      Imagebase:0x11d0000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:46:06
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe C:\Users\user\Desktop\1c8.dll,Clockcondition
                                                      Imagebase:0x10f0000
                                                      File size:61952 bytes
                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:46:06
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe 'C:\Users\user\Desktop\1c8.dll',#1
                                                      Imagebase:0x10f0000
                                                      File size:61952 bytes
                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848756217.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848724837.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848569421.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848820548.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.919640780.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848847828.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848790447.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848684716.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.848623660.0000000004EB8000.00000004.00000040.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      General

                                                      Start time:15:46:11
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe C:\Users\user\Desktop\1c8.dll,Dogwhen
                                                      Imagebase:0x10f0000
                                                      File size:61952 bytes
                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:46:15
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe C:\Users\user\Desktop\1c8.dll,Sing
                                                      Imagebase:0x10f0000
                                                      File size:61952 bytes
                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:46:20
                                                      Start date:14/07/2021
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe C:\Users\user\Desktop\1c8.dll,Wholegray
                                                      Imagebase:0x10f0000
                                                      File size:61952 bytes
                                                      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:47:32
                                                      Start date:14/07/2021
                                                      Path:C:\Program Files\internet explorer\iexplore.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                                                      Imagebase:0x7ff7704e0000
                                                      File size:823560 bytes
                                                      MD5 hash:6465CB92B25A7BC1DF8E01D8AC5E7596
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:47:35
                                                      Start date:14/07/2021
                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
                                                      Imagebase:0x8f0000
                                                      File size:822536 bytes
                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Start time:15:47:37
                                                      Start date:14/07/2021
                                                      Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17414 /prefetch:2
                                                      Imagebase:0x8f0000
                                                      File size:822536 bytes
                                                      MD5 hash:071277CC2E3DF41EEEA8013E2AB58D5A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >