Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 6, 2021, 5:58 p.m.	July 6, 2021, 6 p.m.

Size	372.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`c6bfea479b46b9eb7a69667e0165179f`
SHA256	`62dbfe723197430a3af1ec9262fcd2a5c2bfc8e81b97c313101f0a5388d587fc`
CRC32	`769A7034`
ssdeep	`6144:vC8nRa6tXFOspzA7n6NZVeC8i795fubASK9beZTX3l8Eo:J0SVOsphVWi7PWoBeZTX36`
PDB Path	c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsDLL - (no description) OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\60e40fb428612.dll,Clockcondition
3024
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\60e40fb428612.dll,Dogwhen
2244
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\60e40fb428612.dll,Sing
1512
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\60e40fb428612.dll,Wholegray
2664
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\60e40fb428612.dll,
2884

Name	Response	Post-Analysis Lookup
vuredosite.club	A 37.120.222.6	37.120.222.6
www.outlook.com	A 52.98.51.162 A 40.100.51.18 CNAME outlook.ms-acdc.office.com A 52.98.51.130 CNAME outlook.ha.office365.com CNAME outlook.office365.com CNAME ICN-efz.ms-acdc.office.com A 40.100.49.34 A 40.100.49.210 A 40.100.49.2	52.98.89.34
outlook.com	A 40.97.161.50 A 40.97.160.2 A 40.97.153.146 A 40.97.128.194 A 40.97.116.82 A 40.97.164.146 A 40.97.148.226 A 40.97.156.114	40.97.164.146
auredosite.club	A 37.120.222.61	37.120.222.61
www.redtube.com	A 66.254.114.238 CNAME redtube.com	66.254.114.238
outlook.office365.com	A 52.98.51.162 A 40.100.50.114 CNAME outlook.ms-acdc.office.com CNAME outlook.ha.office365.com A 52.98.51.146 CNAME ICN-efz.ms-acdc.office.com A 40.100.49.34 A 52.98.51.130 A 40.100.49.18 A 52.98.51.178	52.98.83.2

IP Address	Status	Action
164.124.101.2	Active	Moloch
37.120.222.6	Active	Moloch
37.120.222.61	Active	Moloch
40.100.49.210	Active	Moloch
40.100.49.34	Active	Moloch
40.100.50.114	Active	Moloch
40.97.153.146	Active	Moloch
52.98.51.178	Active	Moloch
66.254.114.238	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49228 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 40.100.49.210:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 40.97.153.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49212 -> 40.100.49.210:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49243 -> 40.100.49.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49218 -> 40.100.49.210:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 40.100.50.114:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49213 -> 40.100.50.114:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 40.100.50.114:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49214 -> 40.100.50.114:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49229 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49217 -> 40.97.153.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49242 -> 40.97.153.146:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49225 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 40.100.49.210:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49224 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49232 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49245 -> 52.98.51.178:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49246 -> 52.98.51.178:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49237 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49238 -> 66.254.114.238:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49244 -> 40.100.49.34:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49211 40.100.49.210:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	e3:59:d7:72:f3:b2:09:bc:b4:5d:a5:2f:8d:12:79:03:6c:99:2e:fb
TLSv1 192.168.56.101:49210 40.97.153.146:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	68:69:94:c9:3f:41:92:43:04:a5:94:7e:97:1d:87:93:ad:1e:fa:c3
TLSv1 192.168.56.101:49212 40.100.49.210:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	e3:59:d7:72:f3:b2:09:bc:b4:5d:a5:2f:8d:12:79:03:6c:99:2e:fb
TLSv1 192.168.56.101:49243 40.100.49.34:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e
TLSv1 192.168.56.101:49218 40.100.49.210:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	e3:59:d7:72:f3:b2:09:bc:b4:5d:a5:2f:8d:12:79:03:6c:99:2e:fb
TLSv1 192.168.56.101:49220 40.100.50.114:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	62:5d:60:e3:67:32:9f:e7:97:a0:40:42:18:62:65:c8:38:cd:2b:d7
TLSv1 192.168.56.101:49213 40.100.50.114:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	62:5d:60:e3:67:32:9f:e7:97:a0:40:42:18:62:65:c8:38:cd:2b:d7
TLSv1 192.168.56.101:49221 40.100.50.114:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	62:5d:60:e3:67:32:9f:e7:97:a0:40:42:18:62:65:c8:38:cd:2b:d7
TLSv1 192.168.56.101:49214 40.100.50.114:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	62:5d:60:e3:67:32:9f:e7:97:a0:40:42:18:62:65:c8:38:cd:2b:d7
TLSv1 192.168.56.101:49217 40.97.153.146:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	68:69:94:c9:3f:41:92:43:04:a5:94:7e:97:1d:87:93:ad:1e:fa:c3
TLSv1 192.168.56.101:49242 40.97.153.146:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	68:69:94:c9:3f:41:92:43:04:a5:94:7e:97:1d:87:93:ad:1e:fa:c3
TLSv1 192.168.56.101:49219 40.100.49.210:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	e3:59:d7:72:f3:b2:09:bc:b4:5d:a5:2f:8d:12:79:03:6c:99:2e:fb
TLSv1 192.168.56.101:49245 52.98.51.178:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e
TLSv1 192.168.56.101:49246 52.98.51.178:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e
TLSv1 192.168.56.101:49244 40.100.49.34:443	C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1	C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=outlook.com	8e:59:43:4e:03:70:3d:5a:f5:34:42:24:da:21:81:05:01:b1:20:6e

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name:		0
GetComputerNameW July 6, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1

This executable has a PDB path (1 event)

pdb_path

c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 6, 2021, 5:58 p.m.	stacktrace: 0x736e14c0 0x736e1616 KiUserApcDispatcher+0x25 KiUserCallbackDispatcher-0x8f ntdll+0x1005d @ 0x773b005d LdrInitializeThunk+0x10 RtlInitializeExceptionChain-0x16 ntdll+0x39e59 @ 0x773d9e59 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x736e1fb6 registers.esp: 10678940 registers.edi: 260 registers.eax: 0 registers.ebp: 10678956 registers.edx: 1 registers.ebx: 2001346668 registers.esi: 38242256 registers.ecx: 1990724870	1	0	0

Performs some HTTP requests (16 events)

request	GET http://outlook.com/grower/NGPFCrhlBzT/Jw2TiZi8iifvHo/rqSgG8jqn5QV3VOmrr1nI/_2FsUJsnAdRfYdR7/qLe_2F84lRZZn_2/BmPGdVwBnqQV7OEuXq/xyFIrCvnL/UMwmL0GmidmrTmLNFNcd/P2DKY8iz6cow0mbx_2F/sbJGtbbd_2BGwyI_2Bxw0S/we1LziCYkQ0Cx/_2F0rJ9S/F5wpSAIpNSNFFpRxGE86IR5/pGNpT_2B/dhwihB9uUdXC/0.grow
request	GET http://outlook.com/grower/LbPHPEF4_/2BZMDYmlyUUAIwzdjYlF/IsCiLt23gG2XX0dR8Mg/QIW4lE_2FuyJABPJiQy2_2/BxIjtj_2BJJr_/2BKFSEPm/uM39a7A3gSMfSIZBzC4TJ02/LsKoFEhJ1f/JG7niGi3Pi5y50kbt/gOVmuchXk4qS/sIRcFDw1CZ2/NDEIwheRVvw8JO/MALZOuQCTneqoYkZaMTB7/P_2BRCYmPsNzvA78/UvNGHNdu/PCN.grow
request	GET http://auredosite.club/grower/Rra3zlxR7zMWiivWxnvk03/RkV2y9lC_2Bd0/XhNZR8GP/NJZVBBkxMjnjHaCoFOLD1w4/zTfWnbRB6B/8kkiNzbsBgc1INuUM/Uxy_2B_2FM0q/NnEgFt_2B4F/soJn03X60ILS62/2V5OIf_2F_2FLtQpHnrLx/uA_2F4dcNfzkof4b/ADxxOMhs_2Fa50N/IXVPXT743Pv7qUWt9b/b9_2Fjn8T/e.grow
request	GET http://auredosite.club/grower/t8AjypHnwO6h71YmbjXGTpx/ej_2B_2F6d/Jdn3yxfUvYN4tijpi/YnqB9ivIS_2F/0p6hTDq2gSB/ZkzTd4Bjgg_2FT/LVJMloJMj2t23Q6E1Typz/o0Doo9aGJccGgJi8/7CHSvWKDHjDG_2B/KvBE_2Fvlc0EgipWY3/UnADWVp5Q/rWwJlVapqZTijZgllzvy/6g9SE1MMzW4S6DRKOkZ/RX6rh1iyxycRcN43/I5V2I.grow
request	GET http://vuredosite.club/grower/Chfj9hsaDeXs0R/tFsvi_2By9SJewZBpb0ho/e1dMX20jG3CmCVzn/FB3nLwD9e_2BwoA/mC23TtygtmeXn6ZnoJ/_2B4pSfOj/uWXg_2BqYVGC70EyI6VK/Gtsy3x20uUh2oNCMAM_/2BTMM2tKkjS5vFoYlfoTSc/5w4YbRyEZnClB/dc4ckOkR/Jgwj3c91k_2Bt19eFIlYxx8/BB8Nu5Kfv1/g8FSzUzsfW5/OgCiahi.grow
request	GET http://vuredosite.club/grower/tGpatr1IrHVle34MNp_2BwV/BiQncvOCpX/SzgNxHn40ykWRA74M/9WAEuffVHZa1/zmdjfq3GOBC/WrV59k1EKiwPVD/_2B0KCK2JXuSY6lNUqyYK/8_2BqrTPxHaEJ2mo/ucom_2Br8Luache/KZ_2BqyzD72aPqTj2H/Uf1VfcvQM/SbX9eKEQ_2Fne8rlKJhI/cJvEd2AOUMwjRYi4Hwf/_2FyptuW1Np4j_2Bce7JnS/3wn.grow
request	GET http://outlook.com/grower/HifhyQ_2FFA_/2BrB_2FLHP8/6XtvMolaVkbxNG/M87QW6j_2FP_2BvYHNtwk/wfNbuE8KybHLWY5O/SVLd6tAjqwt4I3O/CmoDOXGju5EqxmqADg/SZkchW1YF/eCs7OitMTPagVSYN1ln9/udSEMdxezj42VmEKleq/cmc_2BUQ6tbT7wSAKbXwcE/jF1hnY59qkPpk/JIwZneIZ/DEUHT_2BkDBM9BJJm199Iwa/FkE5uE0.grow
request	GET https://outlook.com/grower/NGPFCrhlBzT/Jw2TiZi8iifvHo/rqSgG8jqn5QV3VOmrr1nI/_2FsUJsnAdRfYdR7/qLe_2F84lRZZn_2/BmPGdVwBnqQV7OEuXq/xyFIrCvnL/UMwmL0GmidmrTmLNFNcd/P2DKY8iz6cow0mbx_2F/sbJGtbbd_2BGwyI_2Bxw0S/we1LziCYkQ0Cx/_2F0rJ9S/F5wpSAIpNSNFFpRxGE86IR5/pGNpT_2B/dhwihB9uUdXC/0.grow
request	GET https://www.outlook.com/grower/NGPFCrhlBzT/Jw2TiZi8iifvHo/rqSgG8jqn5QV3VOmrr1nI/_2FsUJsnAdRfYdR7/qLe_2F84lRZZn_2/BmPGdVwBnqQV7OEuXq/xyFIrCvnL/UMwmL0GmidmrTmLNFNcd/P2DKY8iz6cow0mbx_2F/sbJGtbbd_2BGwyI_2Bxw0S/we1LziCYkQ0Cx/_2F0rJ9S/F5wpSAIpNSNFFpRxGE86IR5/pGNpT_2B/dhwihB9uUdXC/0.grow
request	GET https://outlook.office365.com/grower/NGPFCrhlBzT/Jw2TiZi8iifvHo/rqSgG8jqn5QV3VOmrr1nI/_2FsUJsnAdRfYdR7/qLe_2F84lRZZn_2/BmPGdVwBnqQV7OEuXq/xyFIrCvnL/UMwmL0GmidmrTmLNFNcd/P2DKY8iz6cow0mbx_2F/sbJGtbbd_2BGwyI_2Bxw0S/we1LziCYkQ0Cx/_2F0rJ9S/F5wpSAIpNSNFFpRxGE86IR5/pGNpT_2B/dhwihB9uUdXC/0.grow
request	GET https://outlook.com/grower/LbPHPEF4_/2BZMDYmlyUUAIwzdjYlF/IsCiLt23gG2XX0dR8Mg/QIW4lE_2FuyJABPJiQy2_2/BxIjtj_2BJJr_/2BKFSEPm/uM39a7A3gSMfSIZBzC4TJ02/LsKoFEhJ1f/JG7niGi3Pi5y50kbt/gOVmuchXk4qS/sIRcFDw1CZ2/NDEIwheRVvw8JO/MALZOuQCTneqoYkZaMTB7/P_2BRCYmPsNzvA78/UvNGHNdu/PCN.grow
request	GET https://www.outlook.com/grower/LbPHPEF4_/2BZMDYmlyUUAIwzdjYlF/IsCiLt23gG2XX0dR8Mg/QIW4lE_2FuyJABPJiQy2_2/BxIjtj_2BJJr_/2BKFSEPm/uM39a7A3gSMfSIZBzC4TJ02/LsKoFEhJ1f/JG7niGi3Pi5y50kbt/gOVmuchXk4qS/sIRcFDw1CZ2/NDEIwheRVvw8JO/MALZOuQCTneqoYkZaMTB7/P_2BRCYmPsNzvA78/UvNGHNdu/PCN.grow
request	GET https://outlook.office365.com/grower/LbPHPEF4_/2BZMDYmlyUUAIwzdjYlF/IsCiLt23gG2XX0dR8Mg/QIW4lE_2FuyJABPJiQy2_2/BxIjtj_2BJJr_/2BKFSEPm/uM39a7A3gSMfSIZBzC4TJ02/LsKoFEhJ1f/JG7niGi3Pi5y50kbt/gOVmuchXk4qS/sIRcFDw1CZ2/NDEIwheRVvw8JO/MALZOuQCTneqoYkZaMTB7/P_2BRCYmPsNzvA78/UvNGHNdu/PCN.grow
request	GET https://outlook.com/grower/HifhyQ_2FFA_/2BrB_2FLHP8/6XtvMolaVkbxNG/M87QW6j_2FP_2BvYHNtwk/wfNbuE8KybHLWY5O/SVLd6tAjqwt4I3O/CmoDOXGju5EqxmqADg/SZkchW1YF/eCs7OitMTPagVSYN1ln9/udSEMdxezj42VmEKleq/cmc_2BUQ6tbT7wSAKbXwcE/jF1hnY59qkPpk/JIwZneIZ/DEUHT_2BkDBM9BJJm199Iwa/FkE5uE0.grow
request	GET https://www.outlook.com/grower/HifhyQ_2FFA_/2BrB_2FLHP8/6XtvMolaVkbxNG/M87QW6j_2FP_2BvYHNtwk/wfNbuE8KybHLWY5O/SVLd6tAjqwt4I3O/CmoDOXGju5EqxmqADg/SZkchW1YF/eCs7OitMTPagVSYN1ln9/udSEMdxezj42VmEKleq/cmc_2BUQ6tbT7wSAKbXwcE/jF1hnY59qkPpk/JIwZneIZ/DEUHT_2BkDBM9BJJm199Iwa/FkE5uE0.grow
request	GET https://outlook.office365.com/grower/HifhyQ_2FFA_/2BrB_2FLHP8/6XtvMolaVkbxNG/M87QW6j_2FP_2BvYHNtwk/wfNbuE8KybHLWY5O/SVLd6tAjqwt4I3O/CmoDOXGju5EqxmqADg/SZkchW1YF/eCs7OitMTPagVSYN1ln9/udSEMdxezj42VmEKleq/cmc_2BUQ6tbT7wSAKbXwcE/jF1hnY59qkPpk/JIwZneIZ/DEUHT_2BkDBM9BJJm199Iwa/FkE5uE0.grow

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73724000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7373d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 3024 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73724000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2244 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7373d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2244 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00820000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 1512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73724000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 1512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7373d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 1512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 1512 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 1512 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73724000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2664 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 16384 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7373d000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2664 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00360000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 6, 2021, 5:58 p.m.	process_identifier: 2664 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

rundll32.exe tried to sleep 179 seconds, actually delayed analysis time by 179 seconds

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.c6bfea479b46b9eb
APEX	Malicious
McAfee-GW-Edition	Artemis
Cynet	Malicious (score: 100)
McAfee	Artemis!C6BFEA479B46
Ikarus	Trojan-Banker.Dridex

60e40fb428612.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All